Using sAMAccountName instead of CN in role mapping file?


(Yu Watanabe) #1

Hello.

I would like to ask question for role_mapping file. Our environment uses LDAP authentication module

First I understand that you will need to map distinguished name (User or Group object ) to kibana roles.

https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html

However, I have two obstacles for role mapping.

  1. Group object mapping is not an option because group name includes Japanese characters (multibyte)

  2. We are reluctant to use User object mapping because CN (User name) includes department ID which may change quite often

Therefore, since sAMAccountName remains solid , I would like to map kibana role to sAMAccountName.

Is this possible?


(Tim Vernum) #2

This is not possible in current releases, but improvements to role mapping are a priority for us, and we hope to be offer a better solution in the near future.

This is not intentional - you ought to be able to define role mappings for multibyte characters, if it doesn't work then that's a bug/oversight.

I'll have a look internally, but it would be helpful if you could file a support case and provide a clear reproduction of the problem.


(Yu Watanabe) #3

@TimV

I will look forward it. Our customer's case looks like quite unique. So I appreciate role mapping becomes more flexible (e.g be able to use other object items like sAMAccountName)

Cool. I will reproduce the problem and file a support case.


(Yu Watanabe) #4

@TimV

Sorry I was totally misunderstanding. I was able to map the multibyte group name to alphabet role name.

Here is what I have found.

Mapping multibyte group name to multibyte role name does not work

This is because elasticsearch cannot store multibyte role name.

[root@rhel2 ~]# curl -XPUT -u elastic:changeme localhost:9200/_xpack/security/role/情報システム -d '
> {
>   "run_as" : [ "superuser" ]
> }'
{"error":{"root_cause":[{"type":"validation_exception","reason":"Validation Failed: 1: A valid role name must be at least 1 character and no longer than 30 characters. It must begin with a letter (`a-z` or `A-Z`) or an underscore (`_`). Subsequent characters can be letters, underscores (`_`), digits (`0-9`) or any of the following symbols `@`, `-`, `.` or `$`;"}],"type":"validation_exception","reason":"Validation Failed: 1: A valid role name must be at least 1 character and no longer than 30 characters. It must begin with a letter (`a-z` or `A-Z`) or an underscore (`_`). Subsequent characters can be letters, underscores (`_`), digits (`0-9`) or any of the following symbols `@`, `-`, `.` or `$`;"},"status":400}[root@rhel2 ~]#

Mapping multibyte group name to alphabet role name works

This is how I done.

1 Assing multibyte security group name to a user on Active Directory side. Make sure the group is not set to Primary Group

2 ldap search returns awkward result but this is okay

dn:: Q0495rih6L66IOijlSxDTj1Vc2VycyxEQz1leGFtcGxlLERDPWNvbQ==
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
...
memberOf:: Q0495oOF5aCx44K344K544OG44OgLENOPVVzZXJzLERDPWV4YW1wbGUsREM9Y29t
memberOf: CN=Remote Desktop Users,CN=Builtin,DC=example,DC=com
...
sAMAccountName: y-watanabe

3 elasticsearch.yml

ldap1:
type: ldap
order: 0
url: ldap://ad:389
bind_dn: "cn=creationline,cn=Users,dc=example,dc=com"
bind_password: YuTennis123!
user_search:
base_dn: cn=Users,dc=example,dc=com
scope: sub_tree
attribute: sAMAccountName
group_search:
base_dn: cn=Users,dc=example,dc=com
files:
role_mapping: "/opt/elasticsearch/elasticsearch-5.4.0/config/x-pack/role_mapping.yml"
unmapped_groups_as_roles: false
follow_referrals: false

4 role_mapping.yml

superuser:

  • "cn=情報システム,cn=Users,dc=example,dc=com"

5 elasticsearch log . CN for group name was empty but it worked.

[2017-06-10T22:54:30,318][DEBUG][o.e.x.s.a.e.ReservedRealm] [Y_0s9_g] user [y-watanabe] not found in cache for realm [reserved], proceeding with normal authentication
[2017-06-10T22:54:30,318][DEBUG][o.e.x.s.a.l.LdapRealm    ] [Y_0s9_g] user [y-watanabe] not found in cache for realm [ldap1], proceeding with normal authentication

...

[2017-06-10T22:54:35,639][DEBUG][o.e.i.f.p.ParentChildIndexFieldData] [Y_0s9_g] [.security_audit_log-2017.06.10] global-ordinals [_parent] took [5micros]
[2017-06-10T22:54:36,660][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [Y_0s9_g] the roles [[superuser]], are mapped from these [ldap] groups [[CN=,CN=Users,DC=example,DC=com]] for realm [ldap/ldap1]

6 Kibana login success


(Tim Vernum) #5

X-Pack 5.5 was released today and contains a new role-mapping API that is more powerful than the old role mapping files.

The Mapping Users and Groups to Roles documentation has been updated.


(Yu Watanabe) #6

@TimV

Thanks for the update . I will check it out.


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.