Ldap Realm elasticsearch 5.4


(Mehdi Chilla) #1

Hello,

I try to configure the x-pack with two groups coming from an LDAP, 1 with access in writing and another one in reading of the dashboards.

Here is the current configuration.

xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://xxxxx.xx.xxx:xxx"
bind_dn: "cn=xxx xxx"
bind_password: xxx
user_search:
base_dn: "ou=applications,dc=xxx,dc=xxx"
files:
role_mapping: "/explproc/DEVELS1/elasticsearch/config/xpack/role_mapping.yml"
unmapped_groups_as_roles: false
native:
type: native
order: 1

pilwrite:

  • "cn=PIL_ADM,cn=pilotageTempsReel,ou=applications,dc=xx,dc=xx"
    pilread:
  • "cn=CAS_MANAGER,cn=pilotageTempsReel,ou=applications,dc=xx,dc=xx"

It works when I specify the exact UID in role_mapping.yml (I have a hundred to authorize) but when I try to indicate the name of the group ldap it recognizes the identifiers but does not affect them any roles

Thank you in advance for your assistance

Mehdi


(Tim Vernum) #2

It doesn't appear that you have configured your realm to extract groups from your directory.

Depending on how your directory is configured, you will either want to set:

  • user_group_attribute

or both

  • group_search.base_dn and
  • group_search. user_attribute
  • and maybe group_search.filter as well.

Those settings are explained at https://www.elastic.co/guide/en/x-pack/current/ldap-realm.html

For most directories, the group_search configuration is what you want to use, but without more details on how your directory is structured, I can't offer anything more specific.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.