Ldap group seems to don't work

security

#1

Hi everyone,

I use an ldap server to authent my users to kibana.
The thing is ALL users can access to kibana, not only the members of my 'restict_group_kibana' ldap group.

In the elasticsearch.yml I have:
shield:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://ldap_server:ldap_port"
bind_dn: "uid=kibana-server,ou=Profils,ou=Logs,ou=Applications,dc=exemple,dc=com"
bind_password: "Apassword"
user_dn_templates:
- "uid={0},ou=city1,ou=users exemple,ou=technical,ou=people,dc=exemple,dc=com"
- "uid={0},ou=city2,ou=users exemple,ou=technical,ou=people,dc=exemple,dc=com"
- "uid={0},ou=city3,ou=users exemple,ou=technical,ou=people,dc=exemple,dc=com"
- "uid={0},ou=Profils,ou=Logs,ou=Applications,dc=exemple,dc=com"
group_search:
base_dn: "cn=restict_group_kibana,ou=Profils,ou=Logs,ou=Applications,dc=exemple,dc=com"

In fact all users that are in city1, city2 and city3 can access to kibana !

when I try an ldapsearch with a user, I don't have any memberOf or memberGroup entry.

# base <,ou=city1,ou=users exemple,ou=technical,ou=people,dc=exemple,dc=com> with scope subtree
# filter: uid=x156223
# requesting: ALL

# user1, city1,users exemple,technical,people,exemple,dc=com
dn: uid=user1,ou=city1,ou=users exemple,ou=technical,ou=people,dc=exemple,dc=com
ntUserLastLogon: 131243605008307064
ntUserLastLogoff: 0
mail: user1@exemple.com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
ntUserDeleteAccount: true
uid: user1
sn:
l: city1
title: Administrateur WEB
description: Administrateur WEB
postalCode:
givenName:
street:
cn:
ntUserCodePage: 0
ntUserParms::
ntUserAcctExpires:
ntUserDomainId: user1
ntUniqueId:

# search result
search: 2
result: 0 Success

# numResponses: 2

when I try ldapsearch with my group restict_group_kibana I can see the following

# restict_group_kibana, Profils, Logs, Applications, exemple.com
dn: cn=restict_group_kibana,ou=Profils,ou=Logs,ou=Applications,dc=exemple,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: restict_group_kibana
uniqueMember: uid=user1,ou=city1,ou=users exemple,ou=technical,ou=people,dc=exemple,dc=com
uniqueMember: uid=user2,ou=city1,ou=users exemple,ou=technical,ou=people,dc=exemple,dc=com
uniqueMember: uid=user3,ou=city2,ou=users exemple,ou=technical,ou=people,dc=exemple,dc=com
uniqueMember: uid=user4,ou=city3,ou=users exemple,ou=technical,ou=people,dc=exemple,dc=com

I'm a bit lost on what happens and how to solve it. It is like elasticsearch don't parse the group_search configuration :disappointed_relieved:

Thanks a lot for any help, and don't hesitate to ask if more infos are relevant.

Best Regards,
Del


(Jay Modi) #2

Hi @Del,

I apologize for the delay. I took a look at your realm configuration and the first thing I wanted to let you know is that the bind_dn and bind_password are not used in the setup where user_dn_templates is used. The bind user is only used when the user_search ldap is used.

When you say access Kibana, do you mean they can login or they can do everything? What does your role mapping look like? Can you set the log level to for shield to debug and then get the LDAP group mapping results from the log file when a user that accesses that should not be allowed to. See https://www.elastic.co/guide/en/shield/current/troubleshooting.html#_ldap


(Tim Vernum) #3

@Del

From your description, it seems as though you're expecting group_search.base_dn to act as a restriction on who can authenticate to the LDAP server. That isn't how this setting functions.

The group_search.base_dn is used to determine which LDAP groups a user belongs to, but that does affect whether the user can authenticate. Specifically, your setup will mean that uid=user1,ou=city1,... can authenticate and will be a member of restrict_group_kibana, but also user uid=user9,ou=city1,... can authenticate and will be a member of no groups.

Once a user has authenticated against the LDAP server, and Elasticsearch knows which LDAP groups they are a member of, the next step is to determine which roles those LDAP groups map to, and which permissions are assigned to those roles.

It is that mapping to roles and permissions that ultimately controls what a user can do in Elasticsearch/Kibana.

For details on mapping LDAP groups to Elasticsearch roles see: https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html

For details on defining the permissions for an Elasticsearch role see: https://www.elastic.co/guide/en/x-pack/current/defining-roles.html


#4

Hello thanks to both of you for your replies.

Ok @jaymode, don't worry, there's no delay !!!! I remove the bind parameters and ok it works just fine :slight_smile:

@TimV
It is more clear now.

So is there's a way to restrict the access from the authentication page, based on a group members only?
-> What if I declare a search_userinstead of templates with the group I previously declared under group_search.base_dn
Is it searching in the member list of this group?

If no, Then I don't have any choice than accept the fact that all users can log on but will fall into an 'error page' if they are not in the group restrict_group_kibana

Del.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.