Ldap Realm elasticsearch 5.4

Hello,

I try to configure the x-pack with two groups coming from an LDAP, 1 with access in writing and another one in reading of the dashboards.

Here is the current configuration.

xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://xxxxx.xx.xxx:xxx"
bind_dn: "cn=xxx xxx"
bind_password: xxx
user_search:
base_dn: "ou=applications,dc=xxx,dc=xxx"
files:
role_mapping: "/explproc/DEVELS1/elasticsearch/config/xpack/role_mapping.yml"
unmapped_groups_as_roles: false
native:
type: native
order: 1

pilwrite:

• "cn=PIL_ADM,cn=pilotageTempsReel,ou=applications,dc=xx,dc=xx"
  pilread:
• "cn=CAS_MANAGER,cn=pilotageTempsReel,ou=applications,dc=xx,dc=xx"

It works when I specify the exact UID in role_mapping.yml (I have a hundred to authorize) but when I try to indicate the name of the group ldap it recognizes the identifiers but does not affect them any roles

Thank you in advance for your assistance

Mehdi

It doesn't appear that you have configured your realm to extract groups from your directory.

Depending on how your directory is configured, you will either want to set:

• user_group_attribute

or both

• group_search.base_dn and
• group_search. user_attribute
• and maybe group_search.filter as well.

Those settings are explained at https://www.elastic.co/guide/en/x-pack/current/ldap-realm.html

For most directories, the group_search configuration is what you want to use, but without more details on how your directory is structured, I can't offer anything more specific.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.