LDAP connectivity not working

Akhilesh · June 6, 2018, 6:07am

Hi Simone Scarduzio,

If we are using our configuration,then we are able to login with any Username and Password.
this is my configuration File.

readonlyrest:
    prompt_for_basic_auth: false
    
    ssl:
      enable: true
      keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      key_alias: elk01    #This is needed only when the keystore has multiple entries

    audit_collector: true
    access_control_rules:

    users:
    - username: c-ShubhamG
      groups: ["Technology"]
      ldap_authentication:
        name: ldap1
      indices: [".kibana","index1"]

    ldaps:
    - name: ldap1
      host: "ldap://ad.crisil.com:389"
      ssl_enabled: false                          
      ssl_trust_all_certs: true
      bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      bind_password: "May@2018"
      search_user_base_DN: "dc=ad,dc=crisil,dc=com"

but when we are using the configuration given by you its throws an Exception (‘ldap://ad.crisil.com:389’: UnknownHostException(message='ldap://ad.crisil.com:389:). Even this host is working fine in my Xpack Configuration.

Configuration File Suggested by you is-

 name: "BLOCK1: Kibana server"
  auth_key: "kibana:kibana"

- name: "BLOCK2: Allow Technology group"
  groups: ["Technology"]
  indices: [".kibana", "index1"]

# END OF ACL BLOCKS

users:

# BEGIN OF USERS 

- username: c-ShubhamG
  groups: ["Technology"]
  ldap_authentication:
    name: ldap1

# END OF USERS

ldaps:

Akhilesh · June 6, 2018, 6:10am

Dear Simone Scarduzio,

we are thinking about purchase this product and the pro version is going to Expire.
so kindly help us for this LDAP Configuration ASAP.

 Thanks

Akhilesh Tiwari

ajit · June 6, 2018, 7:20am

Hi, @sscarduzio,
As told you I have configure readonlyrest.yml. But getting exception ️ Could not login: Unauthorized (401)
while login into kibana. My authorisation getting fail for user I mentioned in configuration. Please check once and reply as soon as possible. Below is my configuration.

readonlyrest:
    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

    ssl:
      enable: true
      keystore_file: "/opt/ElasticSearchKibana/elasticsearch-6.2.4/config/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      key_alias: elk01    #This is needed only when the keystore has multiple entries
    
    access_control_rules:

    
    - name: "::LOGSTASH::"
      auth_key: logstash:logstash
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*"]

    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana

    - name: "::ADMIN::"
      auth_key: admin:admin
      

    - name: "Technology"
      groups: ["Technology"]
      kibana_access: rw
      indices: [".kibana", "index1"]


    users:

    - username: c-ShubhamG
      groups: ["Technology"]
      ldap_authentication:
        name: ldap1


    ldaps:
    - name: ldap1
      host: "ad.crisil.com"
      port: 389
      ssl_enabled: false
      ssl_trust_all_certs: true
      bind_dn: "CN=c-ShubhamG,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai Crisil House,DC=ad,DC=crisil,DC=com"
      bind_password: "May@2018"
      search_user_base_DN: "ou=Technology,dc=crisil,dc=com"
      search_groups_base_DN: "ou=Technology,dc=crisil,dc=com"

JoJoMayer · June 6, 2018, 9:18am

you need to use ldap_authorization when defining the group:

access_control_rules:

- name: "Technology"
  groups: ["group1"]
  kibana_access: rw
  ldap_authorization: 
    name: ldap1
    groups: ["Technology"]
  indices: [".kibana", "index1"]

users:

- username: c-ShubhamG
  groups: ["group1"]
  ldap_authentication: ldap1

...

assuming your (one) ldap group, that users are located in is called “Technology”.
the groups you assign under users, is what actually links to the acl block that is supposed to be applied to that user.
username should be the same, as which your trying to login with.
as far as i can tell ldap_authentication only checks, if that user exists on ldap, but doesnt actually authorize that user -> probably why you get authorization error msg.