Ldap groups_and dont work

driveirk · April 8, 2022, 1:55pm

I need to let users in only if they are in two groups.
I try:

- name: "Access doc"
      ldap_authentication:
        name: "ldap"
        groups_and: ["group1", "group2"]
      ldap_authorization: 
        name: "ldap"
        groups: ["group1"]
      kibana_access: unrestricted

- name: "Access doc"
      ldap_authentication:
        name: "ldap"
        groups_and: ["group1", "group2"]
      kibana_access: unrestricted

- name: "Access doc"
      ldap_authorization: 
        name: "ldap"
        groups_and: ["group1", "group2"]
      kibana_access: unrestricted

But I didn’t succeed. I am allowed even if I am in one of the listed groups.

Also I try

- name: "Access doc"
      groups_and: ["group1", "group2"]
      ldap_authorization: 
        name: "ldap"
      kibana_access: unrestricted

But this requires creating local groups

Ror version Enterprise-1.39.0_es7.15.1

sscarduzio · April 8, 2022, 8:55pm

Hi @driveirk,

A valid syntax for LDAP authorization and authorization from a LDAP connector called “ldap” (defined elsewhere in the YAML) is be the following:

  - name : "Access only if user belongs to group1 AND group2"
    kibana_access: unrestricted
    indices: [".kibana", "example_index"]
    ldap_auth:
      name: "ldap"
      groups_and: ["group1", "group2"]

driveirk · April 11, 2022, 8:27am

Does not work.
If I specify “groups” the config is saved.
If I specify “groups_and” I get an error:

Cannot reload new settings: Errors: Malformed settings: ldap_auth: name: "ldap" groups_and: - "group1" - "group2"

driveirk · April 11, 2022, 2:14pm

“groups_and” isn’t even in tooltips

driveirk · April 11, 2022, 5:21pm

I noticed that “groups” when specifying 2 groups works like “groups_and”.
Looks like I found another bug that we will use until the next ROR update =)

sscarduzio · April 11, 2022, 9:09pm

@driveirk I will send you a build tomorrow, it was a very silly thing

sscarduzio · April 12, 2022, 5:08pm

Ok try this build for es 7.16.3

driveirk · April 13, 2022, 6:55am

We have kibana and Elasticsearch version 7.15.1, Enterprise plugin.
See first post.
And unfortunately I can’t update just ror in Kibana.
Therefore, I will wait for the official update to be released on your site.

sscarduzio · April 13, 2022, 7:04am

Hi @driveirk, here is the correct version pre build. Of course if you prefer to wait the official one, feel free to do so.