Role_mapping file not able to point users if it does not have full DN

While configuring Elastcsearch with LDAP authentication, I am able to connect LDAP users and getting authenticated as per following configuration.

elasticsearch.yml ,

xpack:
  security:
    authc:
      realms:
        ldap:
          ldap1:
            order: 0
            url: "ldap://192.168.56.101:389"
            user_dn_templates:
              - "uid={0},ou=People,dc=example,dc=com"
              - "uid={0},cn=guiusers,dc=example,dc=com"
            group_search:
              base_dn: "dc=example,dc=com"

and below is role_mapping.yml entry,

monitoring: 
  - "ou=People,dc=example,dc=com"
  - "uid=engineer,ou=People,dc=example,dc=com"

now, I have 2 users (ksarkar,engineer) under LDAP location cn=guiusers,dc=example,dc=com.
but both the user not present locally in Kibana users.

using above configuration,
I can connect "engineer" but not getting connected "ksarkar". Having received the same below error in browser for ksarkar (not present in role_mapping.yml),

{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

Is that mandatory to map every user in "role_mapping.yml" file ?

If not then what would be the correct configuration which will facilitate log-in from Kibana GUI, where,

  1. Users only present in LDAP.
  2. Role <> group mapped in role_mapping.yml file till gorup not user.

You can either use user DNs or group DNs in the role mapping file. engineer works because you mention that user DN explicitly ("uid=engineer,ou=People,dc=example,dc=com")
ou=People,dc=example,dc=com is an Organizational Unit and not a Group though and you can't use an OU to say "everyone under this OU should get the role"

Add all the users you want to an LDAP Group and reference that group DN in the role mapping file

Thank you. Let me try this.

as mentioned above, I created two user in my LDAP server as below,

uid=maxdev,cn=Users,ou=Group,dc=example,dc=com
uid=techdev,cn=Users,ou=Group,dc=example,dc=com

role mapping table entry is,

monitoring:

  • "cn=Users,ou=Group,dc=example,dc=com"
  • "uid=techdev,cn=Users,ou=Group,dc=example,dc=com"
  • "uid=ksarkar,cn=guiusers,dc=example,dc=com"

elasticsearch.yml x-paxk conf entry,

xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 0
url: "ldap://192.168.56.101:389"
user_dn_templates:
- "uid={0},cn=Users,ou=Group,dc=example,dc=com"
- "cn={0},cn=Admins,ou=Group,dc=example,dc=com"
- "cn={0},cn=Manager,ou=Group,dc=example,dc=com"
- "uid={0},ou=People,dc=example,dc=com"
group_search:
base_dn: "dc=example,dc=com"

When I mention user full DN it elasticsearch can map group but in case of uid under group (not mentioning full DN) it cant relate the group.

engineer@~ $ > curl -u techdev:techdev -X GET "http://192.168.56.101:9200/_xpack/security/_authenticate"
{"username":"techdev","roles":["monitoring"],"full_name":null,"email":null,"metadata":{"ldap_dn":"uid=techdev,cn=Users,ou=Group,dc=example,dc=com","ldap_groups":[]},"enabled":true,"authentication_realm":{"name":"ldap1","type":"ldap"},"lookup_realm":{"name":"ldap1","type":"ldap"}}

engineer@~ $ > curl -u maxdev:maxdev -X GET "http://192.168.56.101:9200/_xpack/security/_authenticate"  {"username":"maxdev","roles":[],"full_name":null,"email":null,"metadata":{"ldap_dn":"uid=maxdev,cn=Users,ou=Group,dc=example,dc=com","ldap_groups":[]},"enabled":true,"authentication_realm":{"name":"ldap1","type":"ldap"},"lookup_realm":{"name":"ldap1","type":"ldap"}}

Can anyone please help on this ?

This is not how LDAP groups work , you just created an Organizational Unit that you named Group and you put your users under it.

This is basically a question of how to setup your LDAP directory and LDAP internals are slightly outside the scope of these forums. I'd start from here: https://ldapwiki.com/wiki/LDAP%20Group and read through to gain some basic understanding.

Thanks you loannis for pointing out the issue.

Setting top level one as group in LDAP resolves the issue.

1 Like