LDAP connectivity not working

Hi,
We want to connect kibana with LDAP. I have done some configuration but getting exception impossible to add block to ACL. Need guidelines to setup LDAP connectivity. Below is my configuration.

readonlyrest:
    enable: true # optional, defaults=true if at least 1 "access_control_rules" block
    prompt_for_basic_auth: false
    
    ssl:
      enable: true
      keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      key_alias: elk01    #This is needed only when the keystore has multiple entries

    access_control_rules:

    - name: "::LOGSTASH::"
      auth_key: logstash:logstash
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*"]

    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana

    - name: "::ADMIN::"
      auth_key: admin:admin
      # KIBANA ADMIN ACCESS NEEDED TO EDIT SECURITY SETTINGS IN ROR KIBANA APP!

    - name: Accept requests from users in group team1 on index1
      ldap_auth:
          name: "ldap1"                                       # ldap name from below 'ldaps' section
          groups: ["g1"]                                # group within 'ou=Groups,dc=example,dc=com'
      indices: ["index1"]

    ldaps:
    
    - name: ldap1
      host: "ad.crisil.com"
      port: 389                                                 # optional, default 389
      ssl_enabled: false                                        # optional, default true
      ssl_trust_all_certs: true                                 # optional, default false
      bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"                     # optional, skip for anonymous bind
      bind_password: iSTEVEJOBS17/                                 # optional, skip for anonymous bind
      search_user_base_DN: "ou=ad,dc=crisil,dc=com"
      user_id_attribute: "uid"                                  # optional, default "uid"
      search_groups_base_DN: "ou=ad,dc=crisil,dc=com"
      unique_member_attribute: "uniqueMember"                   # optional, default "uniqueMember"
      connection_pool_size: 10                                  # optional, default 30
      connection_timeout_in_sec: 10                             # optional, default 1
      request_timeout_in_sec: 10                                # optional, default 1
      cache_ttl_in_sec: 60                                      # optional, default 0 - cache disabled

Thanks,
Ajit

Hi @ajit,

Please set up Elasticsearch in debug log mode, and grep for LDAP from the logs to see the single bind operations and the LDAP level errors.

Hi,
We have only one group in LDAP/active directory. Then how to give different permissions with different index access to particular user. My scenario is, I have to use LDAP connectivity for on authentication and I have only one group in LDAP. How can I create multiple groups in ROR and also in LDAP.
Scenario is simple i.e. I have to just use LDAP for authentication then How can I authorise different users with different actions and indexes. Do we have GUI for giving authorisation to LDAP users.
Please guide on this.

This is a strange request, because this is exactly what groups are for. Can’t you simply manage groups with LDAP?

Is there any way that I can use LDAP only for authentication. And I want authorisation mapping to users in kibana application. Because we cant manage LDAP groups. Please provide any solution if possible.

Can we use readonlyrest only for LDAP authentication. Authorisation should be handle at kibana level.

Yes you can. See the example below: each user needs to be specified under the “users:” section

readonlyrest:

  ssl:
    keystore_file: "keystore.jks"
    keystore_pass: readonlyrest
    key_pass: readonlyrest

  audit_collector: true

  access_control_rules:
  - name: kibanaserver
    auth_key: kibana:kibana
    verbosity: error

   # One or more blocks to specify common permissions for group1
  - name: group1
    indices: [".kibana", "[email protected]{user}-*"]
    kibana_access: rw
    groups: ["group1"]

 # all the users->group associations are specified down here. User by user. 
  users:
  - username: morgan
    groups: ["group1"]
    ldap_authentication:
      name: ldap1

  - username: cartman
    groups: ["group1"]
    ldap_authentication:
      name: ldap1


  ldaps:
  - name: ldap1
    host: localhost
    port: 32896                                                 # default 389
    ssl_enabled: false                                        # default true
    ssl_trust_all_certs: true                                 # default false
    bind_dn: "cn=admin,dc=example,dc=com"                     # skip for anonymous bind
    bind_password: "password"                                 # skip for anonymous bind
    search_user_base_DN: "ou=People,dc=example,dc=com"
    search_groups_base_DN: "ou=Groups,dc=example,dc=com"
    user_id_attribute: "uid"                                  # default "uid"
    unique_member_attribute: "uniqueMember"                   # default "uniqueMember"
    connection_pool_size: 10                                  # default 30
    connection_timeout_in_sec: 10                             # default 1
    request_timeout_in_sec: 10                                # default 1
    cache_ttl_in_sec: 60                                      # default 0 - cache disabled

Hi,

readonlyrest:
    enable: true # optional, defaults=true if at least 1 "access_control_rules" block
    prompt_for_basic_auth: false
    
    ssl:
      enable: true
      keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      key_alias: elk01    #This is needed only when the keystore has multiple entries

    audit_collector: true

    access_control_rules:
    - name: kibanaserver
      auth_key: kibana:kibana
      verbosity: error

   # One or more blocks to specify common permissions for group1
    - name: group1
      indices: [".kibana", "[email protected]{user}-*"]
      kibana_access: rw
      groups: ["group1"]

 # all the users->group associations are specified down here. User by user. 
    users:
    - username: c-ajitb
      groups: ["group1"]
      ldap_authentication:
        name: ldap1

    - username: cartman
      groups: ["group1"]
      ldap_authentication:
        name: ldap1


    ldaps:
    - name: ldap1
      host: "ad.crisil.com"
      port: 389                                                 # default 389
      ssl_enabled: false                                        # default true
      ssl_trust_all_certs: true                                 # default false
      bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"                     # skip for anonymous bind
      bind_password: "[email protected]"                                 # skip for anonymous bind
      search_user_base_DN: "OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      search_groups_base_DN: "OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      user_id_attribute: "sAMAccountName"                                  # default "uid"
      unique_member_attribute: "member"                   # default "uniqueMember"
      connection_pool_size: 10                                  # default 30
      connection_timeout_in_sec: 10                             # default 1
      request_timeout_in_sec: 10                                # default 1
      cache_ttl_in_sec: 60

Above code contains my configuration. Though I am not able to login using my LDAP credentials.
Please provide configuration only for authentication.

Hi we are almost done with configuration. Just LDAP configuration is not working. I have experience with x-pack. That was working fine for me.
I don’t want groups. Just enter username and password and authenticate user with LDAP. And from ReadonlyRest tab I will configure authorisation for that users. We don’t have groups on LDAP. So I don’t want to add group blocks in configuration. Need only LDAP configuration for authentication of users.

Hi @ajit,
I think for this non-standard configuration to work I just tested that you need some fixes that are not in your current ES plugin build. Please try again using this build:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.20_pre18/readonlyrest-1.16.20_pre18_es6.2.4.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20180601/eu-west-1/s3/aws4_request&X-Amz-Date=20180601T133404Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=d0d95bd0698fb0f2fa166a2e5e196d7c6d0eaf44cbf97ac4c61c7fc637ddf7dc

Hi, I will use this build but give me configuration for LDAP. As I have told you earlier that we have only one group in LDAP. So please edit my configuration and provide me final working configuration for LDAP. After that I should be able to login in kibana with all LDAP users. From kibana user I will set authorisation for LDAP users.

@ajit my example was about two users “cartman” and “morgan” that belong to a single group “group1” LDAP. Just replace “group1” with whatever your single group is called and create an entry under “user” for each LDAP user you have.

Hi,
I have tried all combinations for group name. Though I am not able to login with LDAP user.
Getting exception “:warning:️ Could not login: Forbidden (403)” .
Also while starting elasticsearch and kibana I am not getting any LDAP related configuration on the console.

Below is my configuration snippet.

readonlyrest:
    enable: true # optional, defaults=true if at least 1 "access_control_rules" block
    prompt_for_basic_auth: false
    
    ssl:
      enable: true
      keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      key_alias: elk01    #This is needed only when the keystore has multiple entries

    audit_collector: true

    access_control_rules:
    - name: kibanaserver
      auth_key: kibana:kibana
      verbosity: error

   # One or more blocks to specify common permissions for group1
    - name: group1
      indices: [".kibana", "[email protected]{user}-*"]
      kibana_access: rw
      groups: ["OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"]

 # all the users->group associations are specified down here. User by user. 
    users:
    - username: c-ajitb
      groups: ["OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"]
      ldap_authentication:
        name: ldap1

    - username: c-akhilesht
      groups: ["OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"]
      ldap_authentication:
        name: ldap1


    ldaps:
    - name: ldap1
      host: "ad.crisil.com"
      port: 389                                                 # default 389
      ssl_enabled: false                                        # default true
      ssl_trust_all_certs: true                                 # default false
      bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"                     # skip for anonymous bind
      bind_password: "[email protected]"                                 # skip for anonymous bind
      search_user_base_DN: "OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      search_groups_base_DN: "OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      #user_id_attribute: "uid"                                  # default "uid"
      #unique_member_attribute: "uniqueMember"                   # default "uniqueMember"
      #connection_pool_size: 10                                  # default 30
      #connection_timeout_in_sec: 10                             # default 1
      #request_timeout_in_sec: 10                                # default 1
      #cache_ttl_in_sec: 60

Note: I have installed new build that you have given.

Why did you do this? What does it mean? You just have to put the group name between double quotes.

@ajit please keep in mind that if you want me to do this on your machine, Beshu Limited (our company) can provide professional services, and bill you accordingly.

Hi, Now I am able to login with LDAP users. But not able to see any screen after login. Getting alert no identity metadata found. I want index1 should be accessible to only one group (Technology). Please provide authorisation solution for group. Below is my configuration.

readonlyrest:
prompt_for_basic_auth: false

ssl:
  enable: true
  keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
  keystore_pass: readonlyrest
  key_pass: readonlyrest
  key_alias: elk01    #This is needed only when the keystore has multiple entries

audit_collector: true
access_control_rules:

users:
- username: c-ShubhamG
  groups: ["Technology"]
  ldap_authentication:
    name: ldap1
  indices: [".kibana","index1"]

ldaps:
- name: ldap1
  host: "ldap://ad.crisil.com:389"
  port: 389
  ssl_enabled: false                          
  ssl_trust_all_certs: true
  bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
  bind_password: "[email protected]"
  search_user_base_DN: "dc=ad,dc=crisil,dc=com"
  search_groups_base_DN: "dc=ad,dc=crisil,dc=com"

Is there any missing in configuration. Now able to login but getting metadata not found exception. And there is nothing like reordering in ACL blocks. Because I have only one block in configuration. Please provide solution on the authorisation. In the configuration I have changed host. And now groups, host, port everything is proper from LDAP side. Please let me know anything missing.

that YAML does not make sense because there is no ACL block.

A correct example would be the following. Notice how the entries under “users” do not contain anything but “groups” and authentication related rules.

And all the constraints like “indices”, “kibana_access” etc, should go under an ACL block, under “access_control_rules”

access_control_rules:

# START OF ACL BLOCKS
- name: "BLOCK1: Kibana server"
  auth_key: "kibana:kibana"

- name: "BLOCK2: Allow Technology group"
  groups: ["Technology"]
  indices: [".kibana", "index1"]

# END OF ACL BLOCKS

users:

# BEGIN OF USERS 

- username: c-ShubhamG
  groups: ["Technology"]
  ldap_authentication:
    name: ldap1

# END OF USERS

ldaps:
....

Hi,
In this case I am getting exception caused by LDAPException An error occurred while attempting to resolve address ‘ldap://ad.crisil.com:389’: UnknownHostException(message='ldap://ad.crisil.com:389: Name or service

But in my configuration I am able to login with LDAP users means host : ‘ldap://ad.crisil.com:389’ is proper and working fine.
In your case its giving exception. Please suggest on this.

how do you know that it’s actually going to LDAP and being successful in the first case?