Hello,
I would like to use LDAP to manage users accessing Kibana GUI.
Is it possible ? If yes, do you have an example how to ?
Regards
M.
Hello,
I would like to use LDAP to manage users accessing Kibana GUI.
Is it possible ? If yes, do you have an example how to ?
Regards
M.
@Couto_PL has kindly documented the LDAP feature quite well in the README.md
This should be a good starting point for you. To work with kibana, you’d need to add kibana_access: ro
, or kibana_access: rw
in the rule blocks (the ones under access_control_rules) where needed.
Hello,
I tried but I get the following error :
no block has matched, forbidding by default: { ID:bf52762effe64a029f75a9ea676d853d, TYP:SearchRequest, USR:myuser, BRS:false, ACT:indices:data/read/search, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/index-pattern/_search, CNT:<OMITTED, LENGTH=39>, HDR:authorization,content-length,x-forwarded-proto,Connection,x-forwarded-port,content-type,Host,x-forwarded-for, EFF:0, HIS:[Kibana->[auth_key->false]], [Cerebro->[kibana_access->true, auth_key->false]], [Logstash->[auth_key_sha256->false, indices->false, actions->true]], [Kibana browser->[kibana_access->true]], [Kibana browser->[ldap_auth->false]] }
Here is my configuration.
- name: "Kibana browser"
ldap_auth:
- name: "ldap"
groups: ["MyGroup"]
type: allow
kibana_access: rw
ldaps:
- name: ldap
host: "ldap.***"
port: 389
ssl_enabled: false
ssl_trust_all_certs: false
connection_pool_size: 30
connection_timeout_in_sec: 30
request_timeout_in_sec: 30
cache_ttl_in_sec: 60
bind_dn: "user"
bind_password: "****"
search_user_base_DN: "DC=*****"
search_groups_base_DN: "OU=Groups,OU=*******"
M.
You need to add an additional rules block for Kibana. I.e.
# We trust Kibana's server side process, full access granted via HTTP authentication
- name: "::KIBANA-SRV::"
# auth_key is good for testing, but replace it with `auth_key_sha256`!
auth_key: kibana:kibana
type: allow
And you have to add the above credentials to the kibana.yml so the Kibana daemon can have access.
This additional rules was already added. It just does not appear in the part of configuration I posted.
It works now but I need to authenticate twice.
M.
yeah Kibana team is working on the double authentication issue as an internal ticket. But it’s taking way too long. I have a feeling we need to come up with something ourselves.
Hi friend,
which changes have you done to make it work?
Thanks,
Maor
Hello,
Here is my configuration :
...
bind_dn: "CN=..."
bind_password: "...."
user_id_attribute: "sAMAccountName"
unique_member_attribute: "member"
search_user_base_DN: "DC=...."
search_groups_base_DN: "OU=Groups,..."
....
I used the attribute “sAMAccountName” for the user_id_attribute.
And I browsed my LDAP to see which attribute I could used for the unique_member_attribute. In my case, it was “member”.
H.