How to create LDAP users authorisation based on sub groups

41

HI @sscarduzio,

we got success in readonlyrest configuration and we have met our all requirements.
but now our another requirement is-
we don’t want to give credentials for each LDAP group.
In below configuration we have to specify bind_dn and bind_password of at least one user to bind other users of that group. We are not able to get username and password of one person for each LDAP to specify bind_dn and bind_password.
Is there any way that we can specify only one bind_dn and bind_password for all users and groups, Because we have only one host i.e. host: “ad.example.com”. We want only one username and password to bind all users of my LDAP and don’t want to specify in each LDAP.

readonlyrest:

    ssl:
      enable: true
      keystore_file: "/opt/READONLYREST/elasticsearch-6.3.0/config/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      key_alias: elk01    #This is needed only when the keystore has multiple entries
    audit_collector: true

    access_control_rules:

    - name: "::admin::"
      auth_key: admin:admin

   - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana
      verbosity: error
      
    - name: RULE1
      indices: [".kibana","logstash-*","index1"]
      groups: ["lg1"]       

 
    - name: 'Grant RW Kibana access to a LDAP group Wallets Research'
      indices: [".kibana","logstash-*","index2","advance_search_rating_detail"]

    - name: 'Grant RW Kibana access to a LDAP group Development'
      indices: [".kibana","logstash-*","index2"]
      ldap_authentication: "ldap3"
      
    users:
    - username: RonakB
      groups: ["lg1"]
      ldap_authentication: "ldap1"

   
    ldaps:
    
    - name: ldap1
      host: "ad.example.com"
      port: 389                                                 # default 389
      ssl_enabled: false                                        # default true
      ssl_trust_all_certs: false                                 # default false
      bind_dn: "CN=RasdB,OU=Wallets Research,OU=Mercator – Client Analytics,OU=Mercator,OU=Mumbai Airoli Mercator,DC=ad,DC=example,DC=com"
      bind_password: "abh@2018"
      search_user_base_DN: "OU=Wallets Research,OU=Mercator – Client Analytics,OU=Mercator,OU=Mumbai Airoli Mercator,DC=ad,DC=example,DC=com"
      search_groups_base_DN: "OU=Wallets Research,OU=Mercator – Client Analytics,OU=Mercator,OU=Mumbai Airoli Mercator,DC=ad,DC=example,DC=com"
      user_id_attribute: "sAMAccountName"                                  # default "uid"
      unique_member_attribute: "uniqueMember"                   # default "uniqueMember"
      
    - name: ldap2
      host: "ad.example.com"
      port: 389                                                 # default 389
      ssl_enabled: false                                        # default true
      ssl_trust_all_certs: false                                 # default false
      bind_dn: "CN=c-ahamad,OU=Development,OU=Mercator – Corporate functions,OU=Mercator,OU=Mumbai Airoli Mercator,DC=ad,DC=example,DC=com"
      bind_password: "abc#1234"
      search_user_base_DN: "OU=Development,OU=Mercator – Corporate functions,OU=Mercator,OU=Mumbai Airoli Mercator,DC=ad,DC=crisil,DC=com"
      search_groups_base_DN: "OU=Development,OU=Mercator – Corporate functions,OU=Mercator,OU=Mumbai Airoli Mercator,DC=ad,DC=crisil,DC=com"
      user_id_attribute: "sAMAccountName"                                  # default "uid"
      unique_member_attribute: "uniqueMember"                   # default "uniqueMember"
42

Hi @Akhilesh, your example definitely defeats the purpose of using LDAP because each users’ credentials reside in ROR configuration file.

Normally, customers have single LDAP user for binding (in our example “admin”) and the LDAP connector will search launch a search using the given credentials provided in each request.

Example:

 - name: ldap1
      host: "ldap1.example.com"
      port: 389                                                    
      ssl_enabled: false
                                            
      bind_dn: "cn=admin,dc=example,dc=com"                        # a generic user able to search everyone
      bind_password: "password"                                    

      search_user_base_DN: "ou=People,dc=example,dc=com"
      user_id_attribute: "sAMAccountName"
      search_groups_base_DN: "ou=Groups,dc=example,dc=com"
      unique_member_attribute: "uniqueMember"                      
      group_search_filter: "(objectClass=group)(cn=application*)"   # restrict search to a specific LDAP group
      group_name_attribute: "cn"