Hi everyone,
I’m unable to make LDAP login work with ReadonlyREST + Elasticsearch/Kibana. I am able to log in as the “kibana” user and have unrestricted access, but whenever I try to log in with the credentials of a user in the group “elk-app-users” I get the “wrong credentials” info on the webpage, and in the CLI I get this error:
[2023-05-25T13:51:17,497][INFO ][t.b.r.a.f.RawRorConfigBasedCoreFactory] [elasticsearch-ng] ADDING BLOCK: { name: 'Kibana', policy: ALLOW, rules: [auth_key]
[2023-05-25T13:51:17,497][INFO ][t.b.r.a.f.RawRorConfigBasedCoreFactory] [elasticsearch-ng] ADDING BLOCK: { name: 'LDAP Users', policy: ALLOW, rules: [ldap_auth]
[2023-05-25T13:51:17,528][INFO ][t.b.r.a.a.AuditingTool$ ] [elasticsearch-ng] The audit is enabled with the given outputs: [index]
[2023-05-25T13:51:17,551][INFO ][t.b.r.b.RorInstance ] [elasticsearch-ng] ReadonlyREST was loaded ...
[2023-05-25T13:51:17,552][INFO ][t.b.r.b.RorInstance ] [elasticsearch-ng] [CLUSTERWIDE SETTINGS] Scheduling in-index settings check disabled
[2023-05-25T13:51:17,567][INFO ][t.b.r.b.e.MainConfigBasedReloadableEngine] [elasticsearch-ng] ROR main engine (id=eeef6a79bac736ed9c67f9e073f05ef1c0bc16bb) was initiated (Enabled ROR ACL).
[2023-05-25T13:51:39,256][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [elasticsearch-ng] FORBIDDEN by default req={ ID:583411109-736759443#364, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:psamul (attempted), BRS:true, KDX:null, ACT:cluster:ror/user_metadata/get, OA:192.168.148.77/32, XFF:null, DA:192.168.148.77/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=192.168.148.77:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, cookie=x-csrf-token=c84379b39dc9fd0cf7993363c7579c0e40da80ba0b59c0731bdfa640231bfa04, elastic-apm-traceparent=00-ef987aa95209884caea555922fa2c8bd-bdfe37aa9c695c94-00, traceparent=00-ef987aa95209884caea555922fa2c8bd-bdfe37aa9c695c94-00, tracestate=es=s:0, HIS:[Kibana-> RULES:[auth_key->false]], [LDAP Users-> RULES:[ldap_auth->false]], }
Here are my config files:
root@elk-ng:/home/in4madmin# cat /etc/elasticsearch/elasticsearch.yml
node.name: elasticsearch-ng
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
xpack.security.enabled: false
http.host: 0.0.0.0
readonlyrest:
force_load_from_file: true
root@elk-ng:/home/in4madmin# cat /etc/elasticsearch/readonlyrest.yml
readonlyrest:
audit_collector: true
access_control_rules:
- name: Kibana
type: allow
auth_key: kibana:k1b@na! # <--- static credentials for kibana daemon
verbosity: error
- name: LDAP Users
type: allow
ldap_auth:
name: ldap1
groups: ["elk-app-users", "elk-app-admins"]
verbosity: error
ldaps:
- name: ldap1
host: "freeipa.company-name.com"
port: 389
ssl_enabled: false
ssl_trust_all_certs: true
ignore_ldap_connectivity_problems: true
bind_dn: "uid=elk-integration-user,cn=users,cn=accounts,dc=company-name,dc=com"
bind_password: "secretpassword"
search_user_base_DN: "cn=users,cn=accounts,dc=company-name,dc=com"
search_groups_base_DN: "cn=groups,cn=accounts,dc=company-name,dc=com"
connection_pool_size: 20
connection_timeout: 1s
request_timeout: 2s
cache_ttl: 60s
circuit_breaker:
max_retries: 2
reset_duration: 5s
root@elk-ng:/home/in4madmin# cat /etc/kibana/kibana.yml
server.port: 5601
server.host: 0.0.0.0
server.publicBaseUrl: "http://elk-ng.company-name.com:5601"
elasticsearch.requestTimeout: 600000
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
elasticsearch.username: kibana
elasticsearch.password: k1b@na!
elasticsearch.hosts: ['http://192.168.148.77:9200']
elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1684914829889.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['http://192.168.148.77:9200'], ca_trusted_fingerprint: 618bc757b630827763b3c53db654edc77d39182e164de4189fcfa7e8485412df}]
What is wrong with my config? How do I make it work? I am using FreeIPA LDAP server, let me know if I can send any other logs/configs/output to help with diagnosing the issue. Thanks in advance!