Kibana browser - LDAP authentication



I would like to use LDAP to manage users accessing Kibana GUI.
Is it possible ? If yes, do you have an example how to ?


(Simone Scarduzio) #2

@Couto_PL has kindly documented the LDAP feature quite well in the

This should be a good starting point for you. To work with kibana, you’d need to add kibana_access: ro , or kibana_access: rw in the rule blocks (the ones under access_control_rules) where needed.



I tried but I get the following error :

no block has matched, forbidding by default: { ID:bf52762effe64a029f75a9ea676d853d, TYP:SearchRequest, USR:myuser, BRS:false, ACT:indices:data/read/search, OA:, IDX:.kibana, MET:POST, PTH:/.kibana/index-pattern/_search, CNT:<OMITTED, LENGTH=39>, HDR:authorization,content-length,x-forwarded-proto,Connection,x-forwarded-port,content-type,Host,x-forwarded-for, EFF:0, HIS:[Kibana->[auth_key->false]], [Cerebro->[kibana_access->true, auth_key->false]], [Logstash->[auth_key_sha256->false, indices->false, actions->true]], [Kibana browser->[kibana_access->true]], [Kibana browser->[ldap_auth->false]] }

Here is my configuration.

- name: "Kibana browser"
     - name: "ldap"
       groups: ["MyGroup"]
  type: allow
  kibana_access: rw

  - name: ldap
    host: "ldap.***"
   	port: 389
    ssl_enabled: false
   	ssl_trust_all_certs: false
    connection_pool_size: 30                 
   	connection_timeout_in_sec: 30            
    request_timeout_in_sec: 30               
   	cache_ttl_in_sec: 60
    bind_dn: "user"
    bind_password: "****"
    search_user_base_DN: "DC=*****"
    search_groups_base_DN: "OU=Groups,OU=*******"


(Simone Scarduzio) #4

You need to add an additional rules block for Kibana. I.e.

 # We trust Kibana's server side process, full access granted via HTTP authentication
 - name: "::KIBANA-SRV::"
   # auth_key is good for testing, but replace it with `auth_key_sha256`!
   auth_key: kibana:kibana
   type: allow

And you have to add the above credentials to the kibana.yml so the Kibana daemon can have access.


This additional rules was already added. It just does not appear in the part of configuration I posted.


It works now but I need to authenticate twice.


(Simone Scarduzio) #7

yeah Kibana team is working on the double authentication issue as an internal ticket. But it’s taking way too long. I have a feeling we need to come up with something ourselves. :confused:

(Maor Shmueli) #8

Hi friend,
which changes have you done to make it work?




Here is my configuration :

bind_dn: "CN=..."
bind_password: "...."
user_id_attribute: "sAMAccountName"
unique_member_attribute: "member"
search_user_base_DN: "DC=...."
search_groups_base_DN: "OU=Groups,..."

I used the attribute “sAMAccountName” for the user_id_attribute.
And I browsed my LDAP to see which attribute I could used for the unique_member_attribute. In my case, it was “member”.