LDAP Group members can't login in elasticsearch

Tarah · October 12, 2022, 3:25pm

Hi Elastic Team,

I think I'm missing something here. E456 uid can't login to elasticsearch even if it is a member of ou=people,ou=ec,o=world. But when using E123 uid, it is successful. E456 and E123 belongs to the same group btw.

elasticsearch.yml

xpack.security.authc.realms.ldap.ldap01:
   order: 0
   url: "ldaps://example.example.com:636"
   user_dn_templates:
           - "uid={0},ou=people,ou=ec,o=world"
   group_search:
           base_dn: "ou=people,ou=ec,o=world"
   files:
           role_mapping: "/etc/elasticsearch/role_mapping.yml"
   unmapped_groups_as_roles: false

role_mapping.yml

superuser:
        - "ou=people,ou=ec,o=world"
        - "uid=E123,ou=people,ou=ec,o=world"

Hope someone can help. Thank you!

Yang_Wang · October 14, 2022, 12:22am

You'll need share more information for any meaningful diagnosis, e.g. what is the exact error, (401 or 403?), server side trace or debug logs for the failure and success scenarios, exact how you entered the username for authenticating and perhaps the authenticate response from the successful user.

Tarah · October 14, 2022, 7:27am

Hi Yang_Wang,

I'm getting this error when logging in as E456. But when logging is as E123, I'm directed to kibana web successfully.

Yang_Wang · October 14, 2022, 9:09am

I think this is likely a 403 authorization error. You can try add the E456 user to your role mapping file, e.g.:

superuser:
  - "ou=people,ou=ec,o=world"
  - "uid=E123,ou=people,ou=ec,o=world"
  - "uid=E456,ou=people,ou=ec,o=world"

Tarah · October 14, 2022, 9:22am

Yes, I actually did that and it is working. But what I planned to do is give access to mulitple members not only E123 and E456.

So like what I'm trying to do is give access to all members of that LDAP group without manually type all of them in role_mapping.yml

Yang_Wang · October 14, 2022, 10:40am

You should check what you get in the Authenticate API response. The user's ldap groups are listed in the metadata. My guess is that the groups do not match ou=people,ou=ec,o=world which is why the entry is not working.

Tarah · October 17, 2022, 2:41pm

Hi Yang Wang,

Still stuck. But here's a new log in elasticsearch. You can see it is auth successful. But still having error like above screenshot.

[2022-10-17T14:23:58,629][DEBUG][o.e.x.s.a.RealmsAuthenticator] [host] Authentication of [E456] using realm [ldap/ldap01] with token [UsernamePasswordToken] was [AuthenticationResult{status=SUCCESS, value=User[username=E456,roles=[],fullName=null,email=null,metadata={ldap_dn=uid=E456,ou=people,ou=ec,o=world, ldap_groups=[]}], message=null, exception=null}]

Yang_Wang · October 17, 2022, 11:39pm

Yeah the issue is with authorization (role mapping), not authencation. Based on the log message, it is clear that your E456 user does not have any ldap groups

Maybe this user does not have permission to perform group search. Or maybe you should search group in higher level, i.e. instead of

   group_search:
           base_dn: "ou=people,ou=ec,o=world"

try

   group_search:
           base_dn: "ou=ec,o=world"

system · November 14, 2022, 11:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.