Ldap rights changes work on one of two boxes


(Kelly Sonderegger) #1

We currently have a three node ELK cluster and two kibana instances. We have setup ReadOnlyRest to use ldap. Whenever we make permissions changes under our ldap users within the kibana ReadOnlyRest tab the changes make it so that we are only able to have ldap users login to one of the two kibana instances.

Our non-ldap users such as admin can still login on both kibana instances. It seems fairly random which instance we can login to as ldap users. It does not seem to be tied to which instance we update ReadOnlyRest on

This is for ReadOnlyRest that matches kibana version 6.5.1

Thanks


(Simone Scarduzio) #2

Hi Kelly,

ReadonlyREST versions are not bound to Kibana/ES versions. We separated ES API dependent code from our business logic, so we evolve our core at our own pace. So it’s important to communicate to our support the full version of the plugins in use and the Elasticsearch & Kibana version too.

About the LDAP + settings refresh issue.

  1. it takes up to 10 seconds between the save button is pressed in our tab, and all ES nodes reloading the settings.

  2. LDAP comes with a cache. This cache has a TTL (time to live) settings.

  3. ES logs should show log lines such as “FORBIDDEN <…>” when login fail, can we see that?

  4. You could get a lot more info from the LDAP connector when you set ES in debug mode.

See the troubleshooting section of the docs for more info on this topic.