Can someone assist me with my LDAP configuration?
Notice that “groups” contains “group_does_not_exist”. Not surprisingly, this group does not exist on my LDAP server. In spite of this, though, it appears that the first (and only) access control rule is being used for all users.
If I simply execute the statement
curl 'localhost:9200/_cat/indices?v' (even from an external machine), it returns a valid list of indexes. If I set “indexes” to “", all indices will be returned. But if I set “indexes” to "logs-”, then only the subset of indices are returned. This indicates to me that this rule is being used for authorization. Yet how is it being matched if the LDAP group doesn’t exist (and I’m not even specifying a user when executing the statement)?
What am I missing? Any help appreciated.
readonlyrest: enable: true response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin access_control_rules: - name: Access control rule 1 type: allow ldap_authentication: "ldap1" ldap_authorization: name: "ldap1" groups: ["group_does_not_exist"] indices: ["*"] ldaps: - name: ldap1 host: "my_host.com" port: 389 ssl_enabled: false ssl_trust_all_certs: true search_user_base_DN: "ou=Users,ou=xxxx,dc=xxxx,dc=com" user_id_attribute: "cn" search_groups_base_DN: "ou=ELK,dc=xxxx,dc=com" unique_member_attribute: "uniqueMember" connection_pool_size: 10 connection_timeout_in_sec: 10 request_timeout_in_sec: 10 cache_ttl_in_sec: 60