LDAP group authentication for Kibana


(Stecino) #1

I need to be able to allow anyone in group x in ActiveDirectory.

CN=SiteReliability,OU=Roles,OU=Groups,DC=corp,DC=example,DC=com

in my elasticsearch.yml i have

shield:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://blah.com"
user_dn_templates:
- "CN=SiteReliability,OU=Roles,OU=Groups,DC=corp,DC=example,DC=com"
group_search:
base_dn: "DC=corp,DC=example,DC=com"
files:
role_mapping: "/role_mapping.yml"
unmapped_groups_as_roles: false

where role_mapping.yml

admin:
CN=SiteReliability,OU=Roles,OU=Groups,DC=corp,DC=example,DC=com

in my kibana installation directory under shield/ i have

role_mapping.yml

admin:
CN=SiteReliability,OU=Roles,OU=Groups,DC=corp,DC=example,DC=com

At the moment I can't get this working, what else am I missing?


(Jon Budzenski) #2

What errors are you running into?

On first glance, In role_mapping.yml it looks like it wants group: [ ],
`
admin:

  • CN=SiteReliability,OU=Roles,OU=Groups,DC=corp,DC=example,DC=com
    `

The role_mapping path looks suspect too, I have a hunch it's treating that as an absolute path.


(Stecino) #3

It's actually working now, I updated role_mapping.yml. One thing I noticed was that since I am using F5 Load Balanced VIPs for my query nodes and my Kibana servers are pointing to that, there were authentication token issues. So I had to enable persistent session on the load balancer level. So it's working with this role mapping

dmin:

  • "CN=SiteReliability,OU=Roles,OU=Groups,DC=corp,DC=example,DC=com"

kibana4_server:

  • "CN=KibanaServer,OU=Security,OU=Groups,DC=corp,DC=example,DC=com"

My question was the following, if from now on I want to add a user or a group that will have access based on the role, do I update user_dn_templates in elasticsearch.yml or I just update role_mappings.yml where roles I have noticed are reloaded by ElasticSearch. Do roles.yml also reloaded by ES?


(system) #4