Roles problem with x-pack and LDAP

stack-security
(DevXoo) #1

Hi, I have a problem with the Kibana/Elasticserach rules.
I enabled the x-pack on Kibana and after I connected my LDAP server (OpenDJ) with Elasticsearch.

On elasticsearch.yml I had insert these line:

xpack.security.enabled: true
xpack:
    security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldap://192.168.1.18:389"
          bind_dn: "cn=Directory Manager"
          bind_password: "firsttest"
          user_search:
            base_dn: "dc=example,dc=com"
            filter: "(cn={0})"
          group_search:
            base_dn: "dc=example,dc=com"
         files:
            role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
         unmapped_groups_as_roles: false

On role_mapping I inserted:

monitoring:
    - "cn=admin,dc=example,dc=com"
    user:
    - "cn=user,dc=example,dc=com"

And my LDAP is:

dn: dc=example,dc=com
objectClass: domain
objectClass: top
dc: example
o: myorganization

dn: cn=admin,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: admin

dn: cn=firstuser,cn=admin,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: firstuser
sn: firstuser
userPassword: {SSHA}<password>

dn: cn=user,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: user

dn: cn=seconduser,cn=user,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: seconduser
sn: seconduser
userPassword: {SSHA}<password>

The problem is that when I try to connect with the "firstuser" I access to kibana but I have this error: "You are not authorized to access Monitoring. To use Monitoring, you need the privileges granted by both the kibana_user and monitoring_user roles"

Where I wrong?

Thank you

(Ioannis Kakavas) #2

Please use </> or backticks (`) to format your message - instead of quotes. This will allow you to maintain format and will be much easier to read. It would be great if you can update your post

The error message tells you that your user needs to have the kibana_user and the monitoring_user roles.

Your role mapping

monitoring:
- "cn=admin,dc=example,dc=com"
user:
- "cn=user,dc=example,dc=com"

is assigning the monitoring role to the members of the cn=admin,dc=example,dc=com group and the user role to the members of the cn=user,dc=example,dc=com group.

In your LDAP, neither your cn=user,dc=example,dc=com group, nor your cn=admin,dc=example,dc=com group contain any members.

So, you need to correct a few things:

  • Add your firstuser to the cn=user,dc=example,dc=com group in your LDAP.
  • Give the users of your cn=user,dc=example,dc=com group the correct roles in role mapping with the following rules:
    monitoring_user:
      - "cn=user,dc=example,dc=com"
    kibana_user:
      - "cn=user,dc=example,dc=com"
    

As a side note, I'd suggest that you look into the role mapping API and potentially use this instead of file based role mappings.

(DevXoo) #3

Hi ikakavas,

I have the 'firstuser' under 'cn=admin,dc=example,dc=com':

dn: cn=firstuser,cn=admin,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: firstuser
sn: firstuser
userPassword: {SSHA}<password>

infact if I modify the roles as follows work fine:

monitoring_user:
  - "cn=firstuser,cn=admin,dc=example,dc=com"
kibana_user:
  - "cn=firstuser,cn=admin,dc=example,dc=com"

Do I have insert the user name on the file "role_mapping.yml"? is this the right mode?

Thank you

(Ioannis Kakavas) #4

This is not the same as the user being member of the group. You can read more on ldap group membership, this is unrelated to elasticsearch ( see for example https://ldapwiki.com/wiki/LDAP%20Group )

Our role mapping works with either user DNs or with group DNs as you can read in the documentation. What uou did works ,but will only work for your firstuser as you have specified them by user DN .

(DevXoo) #5

I added the user on the group and now work fine

ADD on 'admin' group this attribute: "member: cn=firstuser,cn=admin,dc=example,dc=com"

Thank you for your support

(system) closed #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.