Issues with deploying Elasticsearch/Kibana with LDAP login

Hi everyone,

I’m unable to make LDAP login work with ReadonlyREST + Elasticsearch/Kibana. I am able to log in as the “kibana” user and have unrestricted access, but whenever I try to log in with the credentials of a user in the group “elk-app-users” I get the “wrong credentials” info on the webpage, and in the CLI I get this error:

[2023-05-25T13:51:17,497][INFO ][t.b.r.a.f.RawRorConfigBasedCoreFactory] [elasticsearch-ng] ADDING BLOCK:	{ name: 'Kibana', policy: ALLOW, rules: [auth_key]
[2023-05-25T13:51:17,497][INFO ][t.b.r.a.f.RawRorConfigBasedCoreFactory] [elasticsearch-ng] ADDING BLOCK:	{ name: 'LDAP Users', policy: ALLOW, rules: [ldap_auth]
[2023-05-25T13:51:17,528][INFO ][t.b.r.a.a.AuditingTool$  ] [elasticsearch-ng] The audit is enabled with the given outputs: [index]
[2023-05-25T13:51:17,551][INFO ][t.b.r.b.RorInstance      ] [elasticsearch-ng] ReadonlyREST was loaded ...
[2023-05-25T13:51:17,552][INFO ][t.b.r.b.RorInstance      ] [elasticsearch-ng] [CLUSTERWIDE SETTINGS] Scheduling in-index settings check disabled
[2023-05-25T13:51:17,567][INFO ][t.b.r.b.e.MainConfigBasedReloadableEngine] [elasticsearch-ng] ROR main engine (id=eeef6a79bac736ed9c67f9e073f05ef1c0bc16bb) was initiated (Enabled ROR ACL).
[2023-05-25T13:51:39,256][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [elasticsearch-ng] FORBIDDEN by default req={ ID:583411109-736759443#364, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:psamul (attempted), BRS:true, KDX:null, ACT:cluster:ror/user_metadata/get, OA:192.168.148.77/32, XFF:null, DA:192.168.148.77/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=192.168.148.77:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, cookie=x-csrf-token=c84379b39dc9fd0cf7993363c7579c0e40da80ba0b59c0731bdfa640231bfa04, elastic-apm-traceparent=00-ef987aa95209884caea555922fa2c8bd-bdfe37aa9c695c94-00, traceparent=00-ef987aa95209884caea555922fa2c8bd-bdfe37aa9c695c94-00, tracestate=es=s:0, HIS:[Kibana-> RULES:[auth_key->false]], [LDAP Users-> RULES:[ldap_auth->false]], }

Here are my config files:

root@elk-ng:/home/in4madmin# cat /etc/elasticsearch/elasticsearch.yml
node.name: elasticsearch-ng
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
xpack.security.enabled: false
http.host: 0.0.0.0
readonlyrest:
  force_load_from_file: true


root@elk-ng:/home/in4madmin# cat /etc/elasticsearch/readonlyrest.yml
readonlyrest:
  audit_collector: true
  access_control_rules:
  - name: Kibana
    type: allow
    auth_key: kibana:k1b@na! # <--- static credentials for kibana daemon
    verbosity: error
  - name: LDAP Users
    type: allow
    ldap_auth:
      name: ldap1
      groups: ["elk-app-users", "elk-app-admins"]
    verbosity: error
  ldaps:
  - name: ldap1
    host: "freeipa.company-name.com"
    port: 389
    ssl_enabled: false
    ssl_trust_all_certs: true
    ignore_ldap_connectivity_problems: true
    bind_dn: "uid=elk-integration-user,cn=users,cn=accounts,dc=company-name,dc=com"
    bind_password: "secretpassword"
    search_user_base_DN: "cn=users,cn=accounts,dc=company-name,dc=com"
    search_groups_base_DN: "cn=groups,cn=accounts,dc=company-name,dc=com"
    connection_pool_size: 20
    connection_timeout: 1s
    request_timeout: 2s
    cache_ttl: 60s
    circuit_breaker:
      max_retries: 2
      reset_duration: 5s

      
root@elk-ng:/home/in4madmin# cat /etc/kibana/kibana.yml
server.port: 5601
server.host: 0.0.0.0
server.publicBaseUrl: "http://elk-ng.company-name.com:5601"
elasticsearch.requestTimeout: 600000

logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file

pid.file: /run/kibana/kibana.pid

elasticsearch.username: kibana
elasticsearch.password: k1b@na!

elasticsearch.hosts: ['http://192.168.148.77:9200']
elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1684914829889.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['http://192.168.148.77:9200'], ca_trusted_fingerprint: 618bc757b630827763b3c53db654edc77d39182e164de4189fcfa7e8485412df}]

What is wrong with my config? How do I make it work? I am using FreeIPA LDAP server, let me know if I can send any other logs/configs/output to help with diagnosing the issue. Thanks in advance!

I have changed the “rootLogger.level” setting to “debug” in log4j2.properties, now the logs show a bit more info. Here’s what happens when I try to log in using LDAP authentication:

[2023-05-25T14:49:35,035][DEBUG][t.b.r.a.b.r.a.AuthKeyRule] [elasticsearch-ng] Attempting Login as: psamul rc: 1891625371-150418704#900
[2023-05-25T14:49:35,035][DEBUG][t.b.r.a.b.r.a.LdapAuthenticationRule] [elasticsearch-ng] Attempting Login as: psamul rc: 1891625371-150418704#900
[2023-05-25T14:49:35,036][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthenticationServiceDecorator] [elasticsearch-ng] Trying to authenticate user [psamul] with LDAP [ldap1]
[2023-05-25T14:49:35,038][DEBUG][t.b.r.a.b.Block          ] [elasticsearch-ng] [::KIBANA-SRV::] the request matches no rules in this block: { ID:1891625371-150418704#900, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:psamul (attempted), BRS:true, KDX:null, ACT:cluster:ror/user_metadata/get, OA:192.168.148.77/32, XFF:null, DA:192.168.148.77/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=192.168.148.77:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, cookie=x-csrf-token=bad5f2eb0e41ab4c4aa1202c765c68fb24ab137a7d8264a83d4742b107832452, elastic-apm-traceparent=00-f8d911d6f9b186c8985a34efedbd5ce0-64632586fb80fa30-00, traceparent=00-f8d911d6f9b186c8985a34efedbd5ce0-64632586fb80fa30-00, tracestate=es=s:0, HIS:[::KIBANA-SRV::-> RULES:[auth_key->false]], } 
[2023-05-25T14:49:35,131][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthenticationServiceDecorator] [elasticsearch-ng] User [psamul] authenticated by LDAP [ldap1]
[2023-05-25T14:49:35,135][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthorizationServiceDecorator] [elasticsearch-ng] Trying to fetch user [id=psamul] groups from LDAP [ldap1]
[2023-05-25T14:49:35,153][DEBUG][t.b.r.a.b.d.l.i.UnboundidLdapAuthorizationService] [elasticsearch-ng] LDAP search string: (&(cn=*)(uniqueMember=uid=psamul,cn=users,cn=accounts,dc=company-name,dc=com)) | groupNameAttr: cn
[2023-05-25T14:49:35,173][DEBUG][t.b.r.a.b.d.l.LoggableLdapAuthorizationServiceDecorator] [elasticsearch-ng] LDAP [ldap1] returned for user [psamul] following groups: []
[2023-05-25T14:49:35,175][DEBUG][t.b.r.a.b.Block          ] [elasticsearch-ng] [LDAP Users] the request matches no rules in this block: { ID:1891625371-150418704#900, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:psamul (attempted), BRS:true, KDX:null, ACT:cluster:ror/user_metadata/get, OA:192.168.148.77/32, XFF:null, DA:192.168.148.77/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=192.168.148.77:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, cookie=x-csrf-token=bad5f2eb0e41ab4c4aa1202c765c68fb24ab137a7d8264a83d4742b107832452, elastic-apm-traceparent=00-f8d911d6f9b186c8985a34efedbd5ce0-64632586fb80fa30-00, traceparent=00-f8d911d6f9b186c8985a34efedbd5ce0-64632586fb80fa30-00, tracestate=es=s:0, HIS:[LDAP Users-> RULES:[ldap_auth->false]], } 
[2023-05-25T14:49:35,247][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [elasticsearch-ng] FORBIDDEN by default req={ ID:1891625371-150418704#900, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:psamul (attempted), BRS:true, KDX:null, ACT:cluster:ror/user_metadata/get, OA:192.168.148.77/32, XFF:null, DA:192.168.148.77/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=Basic cHNhbXVsOk5hdHMuMTAwNy1pbjRtYXRlczwz, Connection=close, Host=192.168.148.77:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, cookie=x-csrf-token=bad5f2eb0e41ab4c4aa1202c765c68fb24ab137a7d8264a83d4742b107832452, elastic-apm-traceparent=00-f8d911d6f9b186c8985a34efedbd5ce0-64632586fb80fa30-00, traceparent=00-f8d911d6f9b186c8985a34efedbd5ce0-64632586fb80fa30-00, tracestate=es=s:0, HIS:[::KIBANA-SRV::-> RULES:[auth_key->false]], [LDAP Users-> RULES:[ldap_auth->false]], }

Hi @98przem

This log tells everything. No LDAP groups were returned so the authorization phase of the ldap_auth rule failed.

LDAP search string: (&(cn=*)(uniqueMember=uid=psamul,cn=users,cn=accounts,dc=company-name,dc=com)) | groupNameAttr: cn

The above was the LDAP search group request.

Make sure you are able to fetch the groups from your LDAP using this search string.

What should the search string look like in order to work with FreeIPA, and how do I modify my config to fix this issue? I’m not able to fetch groups using this search string, and I got stuck here.

We are not LDAP experts and we are not familiar with any LDAP implementation’s users and groups scheme

Show us how you fetch groups for some user using eg. ldapsearch and we will try to tell you what is wrong with your configuration.

I have figured it out. In case anyone else has this issue: my FreeIPA deployment required me to set unique_member_attribute: "member" in readonlyrest.yml. That fixed the issue with the search string.