Hi, I have the following problem. When LDAP authorization of a user who has
CN=full user name (username-srv)
an error occurs https://pastebin.com/raw/t5rNYHYG after which authorization is successful (even if the user is not a member of the group)
My config:
http.type: ssl_netty4
readonlyrest:
enable: true
response_if_req_forbidden: Forbidden request
ssl:
enable: true
keystore_file: "/usr/share/elasticsearch/plugins/readonlyrest/keystore.jks"
keystore_pass: readonlyrest
key_pass: Zx123456
access_control_rules:
- name: LDAP Auth
type: allow
ldap_auth:
name: "ldap1"
groups: ["group1"]
indices: [".kibana", "winlogbeat-*, "exchange-*"]
- name: kibana-server
type: allow
auth_key: kibana:kibana
verbosity: error
indices: [".kibana"]
- name: logstash-server
type: allow
auth_key: logstash:logstash
actions: ["cluster:monitor/main","cluster:monitor/health","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
indices: ["exchange-*"]
- name: winlogbeat-elastic
type: allow
auth_key: elastic:changeme
actions: ["cluster:monitor/main","cluster:monitor/health","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
indices: ["winlogbeat-*"]
ldaps:
- name: ldap1
host: "dc.mydomain"
port: 389
ssl_enabled: false
ssl_trust_all_certs: true
bind_dn: "cn=elastic,ou=service accounts,dc=mydomain"
bind_password: "yN3Gb9bWGO58uD3P1i"
search_user_base_DN: "dc=mydomain"
user_id_attribute: "SamAccountName"
search_groups_base_DN: "ou=Groups,ou=ACL-Groups,dc=mydomain"
unique_member_attribute: "member"
connection_pool_size: 10 # optional, default 30
connection_timeout_in_sec: 10 # optional, default 1
request_timeout_in_sec: 10 # optional, default 1
Need any additional information?