Hi,
I need some help to configure authentication through AD nested groups.
There are two groups for this test:
- GG_A_READONLYREST_TEST: This group contains TEAM_EXPLOITATION_TEST only
- TEAM_EXPLOITATION_TEST: This group contains users only
Why using GG_A_READONLYREST_TEST? We have an AD constraint which imply to locate all our groups where GG_A_READONLYREST_TEST is located. Furthermore we want to be able to automatize access rules with templatized names.
If the configuration is set to request the group TEAM_EXPLOITATION_TEST it works fine. If we set configuration to match GG_A_READONLYREST_TEST, the user cannot login:
Ldaps configuration to make TEAM_EXPLOITATION_TEST work:
ldaps:
- name: ldap1
host: "XXXXXXX"
port: 636 # optional, default 389
ssl_enabled: true # optional, default true
ssl_trust_all_certs: true # optional, default false
bind_dn: "CN=XXX,OU=Service_Accounts,OU=SomeUO,DC=firm,DC=com" # optional, skip for anonymous bind
bind_password: "XXXX" # optional, skip for anonymous bind
search_user_base_DN: "OU=OtherUO,DC=firm,DC=com"
user_id_attribute: "sAMAccountName" # optional, default "uid"
search_groups_base_DN: "OU=Groups_team,OU=SomeUO,DC=firm,DC=com"
#groups_from_user: true
#groups_from_user_attribute: "memberOf"
#group_search_filter: "(objectClass=group)"
unique_member_attribute: "member" # optional, default "uniqueMember"
connection_pool_size: 10 # optional, default 30
connection_timeout_in_sec: 10 # optional, default 1
request_timeout_in_sec: 10 # optional, default 1
cache_ttl_in_sec: 60 # optional, default 0 - cache disabled
access_control_rule:
- name: Acces_nested
#nested group access test
type: allow
ldap_auth:
name: "ldap1"
groups: ["TEAM_EXPLOITATION_TEST"]
GG_A_READONLYREST_TEST is located in OU=Groups_appli,OU=SomeUO,DC=firm,DC=com
TEAM_EXPLOITATION_TEST is located in OU=Groups_team,OU=SomeUO,DC=firm,DC=com
I tried to set ldaps configuration to request on OU=Groups_appli,OU=SomeUO,DC=firm,DC=com and configure the access_control_rule to match with GG_A_READONLYREST_TEST as follow:
- name: Acces_nested
#group access test
type: allow
ldap_auth:
name: "ldap1"
groups: ["GG_A_READONLYREST_TEST"]
ldaps:
- name: ldap1
host: "XXXXXXX"
port: 636 # optional, default 389
ssl_enabled: true # optional, default true
ssl_trust_all_certs: true # optional, default false
bind_dn: "CN=XXX,OU=Service_Accounts,OU=SomeUO,DC=firm,DC=com" # optional, skip for anonymous bind
bind_password: "XXXX" # optional, skip for anonymous bind
search_user_base_DN: "OU=OtherUO,DC=firm,DC=com"
user_id_attribute: "sAMAccountName" # optional, default "uid"
search_groups_base_DN: "OU=Groups_appli,OU=SomeUO,DC=firm,DC=com"
#groups_from_user: true
#groups_from_user_attribute: "memberOf"
#group_search_filter: "(objectClass=group)"
unique_member_attribute: "member" # optional, default "uniqueMember"
connection_pool_size: 10 # optional, default 30
connection_timeout_in_sec: 10 # optional, default 1
request_timeout_in_sec: 10 # optional, default 1
cache_ttl_in_sec: 60 # optional, default 0 - cache disabled
There are three parameters which are commented. We tried to play with them but could not figure out the way to make the authentication to Kibana work
RoR EnterpriseVersion:
kibana-plugin list
readonlyrest_kbn@1.16.29
Kibana version: 6.4.3
Elasticsearch version: 6.4.3
RoR Version (ES side):
Name: readonlyrest
Description: Safely expose Elasticsearch REST API
Version: 1.16.29
Elasticsearch Version: 6.4.3
Java Version: 1.8
Native Controller: false
Extended Plugins: []
Classname: tech.beshu.ror.es.ReadonlyRestPlugin
I could not find relevant logs to determine the cause of the issue neither on kibana side nor on ES side (logs and also RoR index directly)
Can someone please help to configure ldap connection the proper way?
Thanks in advance