LDAP authentication


#1

Trying to get LDAP authentication working for Kibana but not having much luck. Wondering if anyone can verify my config.

Its a MS active directory, can search it via ldapsearch ok.

Have the following in my readonlyrest config

- name: "::CUSTOMER::"
  kibana_access: ro
  indices: [ ".kibana", "kibana_sample_data_flights"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management", "monitoring", "apm", "kibana:discover", "kibana:visualize"]
  ldap_auth:
    name: "ldap1"                                       
    groups: ["customer"]                               
  verbosity: error

ldaps:
- name: ldap1
  host: "172.31.1.1"
  port: 389
  ssl_enabled: false
  ssl_trust_all_certs: true
  search_user_base_DN: "CN=Users,OU=customerldap,DC=customerldap,DC=mycompany,DC=com"
  search_groups_base_DN: "OU=Groups,OU=customerldap,DC=customerldap,DC=mycompany,DC=com"
  user_bind_attribute: "samaccountname"

Have an user in AD called “bob” that is part of the customer group. Try to login and get a 401 with the following in the elasticsearch log.

[2018-10-04T19:42:59,863][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1000713719-1707563075#4345582, TYP:RRAdminRequest, CGR:N/A, USR:bob(?), BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:127.0.0.1, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=<OMITTED>, Connection=close, content-length=0, Host=localhost:9200}, HIS:[::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::ADMIN::->[auth_key->false]], [::PLATFORM-TEAM::->[groups->false]], [::SOC-TEAM::->[groups->false]], [::CUSTOMER::->[ldap_authentication->false]] }


#2

Looks like i managed to solve my own issue.

ldaps:
- name: ldap1
  host: "172.31.1.1"
  port: 389
  ssl_enabled: false
  ssl_trust_all_certs: true
  bind_dn: "[email protected]"                     # skip for anonymous bind
  bind_password: "mypassword"                                 # skip for anonymous bind
  search_user_base_DN: "DC=customerldap,DC=mycompany,DC=com"
  search_groups_base_DN: "OU=Groups,OU=customerldap,DC=customerldap,DC=mycompany,DC=com"
  user_id_attribute: "sAMAccountName"
  unique_member_attribute: "member"

(Simone Scarduzio) #3

Have you tried observing the trace of the LDAP connector? To see it, set the ES root logger to debug and restart.


(Simone Scarduzio) #4

Well done @atownsend!:slight_smile: