Kibana browser - LDAP authentication


#1

Hello,

I would like to use LDAP to manage users accessing Kibana GUI.
Is it possible ? If yes, do you have an example how to ?

Regards
M.


(Simone Scarduzio) #2

@Couto_PL has kindly documented the LDAP feature quite well in the README.md

This should be a good starting point for you. To work with kibana, you’d need to add kibana_access: ro , or kibana_access: rw in the rule blocks (the ones under access_control_rules) where needed.


#3

Hello,

I tried but I get the following error :

no block has matched, forbidding by default: { ID:bf52762effe64a029f75a9ea676d853d, TYP:SearchRequest, USR:myuser, BRS:false, ACT:indices:data/read/search, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/index-pattern/_search, CNT:<OMITTED, LENGTH=39>, HDR:authorization,content-length,x-forwarded-proto,Connection,x-forwarded-port,content-type,Host,x-forwarded-for, EFF:0, HIS:[Kibana->[auth_key->false]], [Cerebro->[kibana_access->true, auth_key->false]], [Logstash->[auth_key_sha256->false, indices->false, actions->true]], [Kibana browser->[kibana_access->true]], [Kibana browser->[ldap_auth->false]] }

Here is my configuration.

- name: "Kibana browser"
  ldap_auth:
     - name: "ldap"
       groups: ["MyGroup"]
  type: allow
  kibana_access: rw

ldaps:
  - name: ldap
    host: "ldap.***"
   	port: 389
    ssl_enabled: false
   	ssl_trust_all_certs: false
    connection_pool_size: 30                 
   	connection_timeout_in_sec: 30            
    request_timeout_in_sec: 30               
   	cache_ttl_in_sec: 60
    bind_dn: "user"
    bind_password: "****"
    search_user_base_DN: "DC=*****"
    search_groups_base_DN: "OU=Groups,OU=*******"

M.


(Simone Scarduzio) #4

You need to add an additional rules block for Kibana. I.e.

 # We trust Kibana's server side process, full access granted via HTTP authentication
 - name: "::KIBANA-SRV::"
   # auth_key is good for testing, but replace it with `auth_key_sha256`!
   auth_key: kibana:kibana
   type: allow

And you have to add the above credentials to the kibana.yml so the Kibana daemon can have access.


#5

This additional rules was already added. It just does not appear in the part of configuration I posted.


#6

It works now but I need to authenticate twice.

M.


(Simone Scarduzio) #7

yeah Kibana team is working on the double authentication issue as an internal ticket. But it’s taking way too long. I have a feeling we need to come up with something ourselves. :confused:


(Maor Shmueli) #8

Hi friend,
which changes have you done to make it work?

Thanks,
Maor


#9

Hello,

Here is my configuration :

...
bind_dn: "CN=..."
bind_password: "...."
user_id_attribute: "sAMAccountName"
unique_member_attribute: "member"
search_user_base_DN: "DC=...."
search_groups_base_DN: "OU=Groups,..."
....

I used the attribute “sAMAccountName” for the user_id_attribute.
And I browsed my LDAP to see which attribute I could used for the unique_member_attribute. In my case, it was “member”.

H.