LDAP user, local group?

Turbo_Fredriksson · February 10, 2018, 12:07pm

I have a user in LDAP (can authenticate fine), but this is a "simple" user ("person" and "uidObject" object classes only).

How can I add this user to a local ('file') group? Is there any LDAP schema that I can use to add an attribute to the user to mapp it to the local group?

How can I give an LDAP user access to "something"? The documentation only talks about mapping groups and roles, but not how to setup those groups/roles..

TimV · February 12, 2018, 4:22am

Let me start by clarifying some terminology that is used in X-Pack security:

groups only exist outside of X-Pack. The are groups in your LDAP tree, or provided in a SAML assertion. X-Pack itself has no notion of a group, except as something that is provided by your external identity provider.
roles exist within X-Pack. The simplest definition of a role is that is is a named collection of permissions. Assigning roles to users is the means by which you grant them permissions.

Not all identity providers have a concept of "groups". There are no groups for Native users, or File users, or PKI users. If you identity provider does not provide a list of groups, that's fine, you just map users directly to roles.

However, I would surprised to find that your LDAP server does not support groups. Groups in LDAP operate in the reverse way to most people's expections - Users aren't in groups, Groups contain users.

A user with an objectClass of person can be a member of a groupOfNames object - all it needs is a distinguishedName (which it must have).

I don't know whether your directory actually has any groups, but it should have the capability.

However, if you can't use groups from your directory, you just need to map by user (userid/DN) instead.
Both the role mapping file and the role mapping API support assigning roles directly to users:

https://www.elastic.co/guide/en/x-pack/6.2/mapping-roles.html

Turbo_Fredriksson · February 12, 2018, 2:10pm

That's all well and good, but how do role and a group "match"? Do they have to have the same name?

Say I have the LDAP group "admins", do I also have to have/create the ES role "admins" (which will then contain the ES access controls)? Or can I call the role something else? If so, how to I "mapp" the two?

Can I add the ES access control directly in LDAP [group]?

I've read up on mappings, but they're not very clear. It only say "this is how you map groups, add the DN to the groups in this file". Nothing else!

TimV · February 13, 2018, 3:16am

I'm sorry, but that's simply untrue.
The link I posted has about 12 pages of documentation including examples that specifically cover your questions.

That's what role mapping provides, via a file, or via an API. Here's an example taken directly from the documentation:

the following snippet uses the file-based method to map the admins group to the monitoring role and map the John Doe user, the users group, and the admins group to the user role.

monitoring: 
  - "cn=admins,dc=example,dc=com" 
user:
  - "cn=John Doe,cn=contractors,dc=example,dc=com" 
  - "cn=users,dc=example,dc=com"
  - "cn=admins,dc=example,dc=com"

monitoring and user are Elasticsearch roles.
cn=admins,dc=example,dc=com and cn=users,dc=example,dc=com are LDAP groups
cn=John Doe,cn=contractors,dc=example,dc=com is an LDAP user.

Turbo_Fredriksson · February 13, 2018, 7:25pm

In retrospect, this all sounds perfectly easy and simple. I still think the documentation is slightly unclear on the subject, but I understand it now so I'm willing to let that slide..

Thanx for the clarifications!

system · March 13, 2018, 7:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.