PKI chain realms

pkward · October 19, 2021, 5:39pm

I want to add two PKI authentication realms in order to map each one to a specific role-mapping. I know I can create a realm chain, but I'm in need of help with setting up my secondary PKI realm using the OU name. For example, the PKI users PKI will look something like this:

CN=Doe John D,OU=People,OU=Google,OU=ITAdmin,OU=IT,O=U.S.

I'm looking to authenticate all users with OU=ITAdmin to a specific role mapping. I've already created the role mapping.

TimV · October 20, 2021, 3:38am

Why do you want to do this with 2 realms? Do you have 2 different CAs?

pkward · October 20, 2021, 10:54am

@TimV I want to do 2 realms so users can automatically be assigned a role-mapping based on a specific OU group in their PKI. I know I can add user's individually explicitly, but that can become a little tedious with over 100 users. In addition, we're not using LDAP or Active Directory which could also probably be useful in assigning a group of users to a role-mapping. I saw in the Elastic docs where you could specify two LDAP realms in the Realm chain, but just wanted to know if this was possible using the PKI realm. I've created two spaces where one is for a specific user, and a general space where any user with PKI can automatically access. The general PKI authentication works for the general space, but I would like to also have users to authenticate against a second PKI realm if they meet a certain criteria which in this case based on the OU.

pkward · October 20, 2021, 11:46am

@TimV question, instead of mapping the full subject name to a role-mapping is it possible to do something like below?

curl -k -XPUT -u elastic https://localhost:9200/_security/role_mapping/<role-mapping name> -H "Content-Type: application/json" -d '{
  "roles" : [ "<role-mapping>" ],
  "rules" : {
    "field" : {
      "dn" : "OU=ITAdmin"
    }
  },
  "enabled": true
}'

pkward · October 20, 2021, 1:49pm

I see there is a way to create user_dn_templates for LDAP realm, is there something similar in PKI realm? Something like cn={0},OU=People,OU=Google,OU=ITAdmin,OU=IT,O=U.S.

system · November 17, 2021, 1:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is it possible to connect to different ldap realm? Elasticsearch elastic-stack-security	5	413	June 10, 2020
Using PKI realms with email role_mapping Elasticsearch	2	507	June 8, 2018
PKI realm rolemapping Elasticsearch elastic-stack-security	5	436	October 30, 2019
Role mapping and Custom Security realm Elasticsearch	4	788	February 19, 2018
LDAP multiple realms Elasticsearch	5	1057	August 28, 2018

PKI chain realms

Related topics