Ldap groups within Kibana


(Grenouille06) #1

Hello friends, and first of all sorry for my english.

I use a trial license of ELK (5.1) and many functions are working great.

With X-Pack Security, native accounts and role are working.

I tried an ldap integration of ELK. Here is the ldap part of code of my elastic.yml :

(I have a group of users in LDAP named ELK_Users)

xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldaps://xxxxxx1.company.org:636"
bind_dn: "cn=Svc_ElasticSearch, ou=ElasticSearch, ou=Applications, dc=company, dc=com"
bind_password: xxxxxxxxxxxxxxxxxx
user_search:
base_dn: "dc=company,dc=com"
attribute: cn
group_search:
base_dn: "cn=ELK_Users,ou=ElasticSearch,ou=Applications,dc=company,dc=com"
files:
role_mapping: "CONFIG_DIR/x-pack/role_mapping.yml"
unmapped_groups_as_roles: false
ssl.verification_mode: none
ssl.keystore.path: ["CONFIG_DIR/x-pack/Node01.jks"]
ssl.keystore.password: xxxxxxxx
ssl.keystore.key_password: xxxxxxxxxxxxxx

Ldap authentification works, but any account of my company could connect to Kibana, not only members of the group ELK_Users.

But in Kibana, Discover page, visualize page or management are blank. Monitoring page display an access denied page :

You are not authorized to access Monitoring. To use Monitoring, you need the privileges granted by both the kibana_user and monitoring_user roles.

If you are attempting to access a dedicated monitoring cluster, this might be because you are logged in as a user that is not configured on the monitoring cluster.

I don't know how to match in kibana the monitoring role with my ldap group ELK_Users.
I tried this setting in role_mapping.yml but it failed :

monitoring_user:

  • "cn=ELK_Users,ou=ElasticSearch,ou=Applications,dc=company,dc=com"
    kibana_user:
  • "cn=ELK_Users,ou=ElasticSearch,ou=Applications,dc=company,dc=com"

A big thanks for your help and advice :slight_smile:


(Lee Drengenberg) #2

I'm moving your post over to the Elasticsearch forum since Kibana only checks roles with Elasticsearch.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.