Can't pass X-Forwarded-User from NGINX (to use in conjunction with LDAP)

I ultimately want to send the X-Forwarded-User value from an NGINX reverse proxy and use it to authenticate via LDAP. So if the X-Forwarded-User exists in LDAP then the user is authenticated and groups are retrieved etc.

Everything is working up to and including LDAP authentication. The only thing that doesn’t work is the passing of the X-Forwarded-User variable and using that to authenticate.

My configuration is as follows…

elasticsearch.yml:

cluster.initial_master.nodes: ["es-node-01", "es-node-02", "es-node-03"]
cluster.name: elasticsearch
discovery.seed_hosts: ["es-node-01.com", "es-node-02.com", "es-node-03.com"]
node.name: es-node-01
http.port: 9200
transport.port: 9300
network.host: 0.0.0.0
xpack.security.enabled: false
http.type: ssl_netty4
transport_type: ror_ssl_internode

readonlyrest.yml:

readonlyrest:
    ssl:
      keystore_file: "keystorefile1.jks"
      keystore_pass: "examplepw"
      key_pass: "examplepw"
    ssl_internode:
      keystore_file: "keystorefile2.jks"
      keystore_pass: "examplepw"
      key_pass: "examplepw"
    ldaps:
    - name: myldap
      host: myldaphost.com
      port: 389
      ssl_enabled: false
      bind_dn: "cn=appUser,ou=someOU,dc=dcName,dc=com"
      bind_password: "examplepw"
      user_id_attribute: cn
      search_user_base_DN: "dc=dcName,dc=com"
      search_groups_base_DN: "dc=dcName,dc=com"
      cache_ttl_in_sec: 3600
    access_control_rules:
    - name: "Allow Test Users"
      proxy_auth:
        proxy_auth_config: "proxy1"
        users: ["*"]
      ldap_authentication: 
        name: myldap
        groups: ['testUsers']
    - name "All"
      type: allow
      indices: ["*"]
    proxy_auth_configs:
    - name: "proxy1"
      user_id_header: "X-Forwarded-User"   

(I realise that the “All” block here isn’t good, I have just included it temporarily to minimise other issues while trying to get the authentication via ‘X-Forwarded-User’ working).

kibana.yml:

elasticsearch.hosts: 
- https://es-node-01.com:9200
- https://es-node-02.com:9200
- https://es-node-03.com:9200
server.host: 0.0.0.0
server.port: 5601
xpack.security.enabled: false
server.ssl.enabled: true
server.ssl.certificate: "/path/to/certificate.cer"
server.ssl.key: "/path/to/certificate.key"
elasticsearch.ssl.certificateAuthorities: ["/path/to/ca.pem"]
elasticsearch.requestHeadersWhiteList: ["authorization", "X-Forwarded-User"]

nginx.conf:

proxy_pass https://kibana.my.org:5601;
proxy_set_header X-Forwarded-User $user_id;
proxy_pass_request_headers on;

(My nginx.conf is larger than this but these are the relevant lines and looking in the nginx logs I can see that ‘X-Forwarded-User’ is being populated with the correct user information).

I am clearly doing something fundamentally wrong, can you give me any help?

One thing to add is that I can’t copy/paste text from the system that I am working on so apologies I won’t be able to paste long logs etc. I will do all that I can though.

You cannot have two authentication rules in the same block.
And it seems that instead of ldap_authentication you wanted to use ldap_authorization (details here)

And make sure that ES received the X-Forwarded-User header. You can see it in ALLOW|FORBIDDEN ROR log in HDR section.

This architecture is a bit off (as far as I understand it): the fact that you trust nginx to populate the x-forwarded-user header suggests that nginx is actually dealing with the authentication already. Correct? If so, why should ROR bother to go back to the LDAP server to double-check the user is valid (without providing the associated password)?

Why not skipping nginx authentication and let ROR verify the LDAP username and password of the user? If it’s because you want to provide a custom login form, you can customize the ROR login form very heavily with custom code in the <head> section, etc.