Problem using ldaps


(Talia) #1

hello
I have installed elasticsearch + kibana 5.4.3
with readonlyrest readonlyrest-1.16.6_es5.4.3

in elasticsearch.yml configured:

readonlyrest:

prompt_for_basic_auth: true

access_control_rules:

  - name: "::KIBANA-SRV::"
    type: allow
    auth_key: kibana_user:kibana_password
    indices: [".kibana"]


  - name: "Accept requests from users in group group1 on all indexes"
    ldap_auth:
      name: "ldap"
      groups: ["group1"]
    indices: ["*"]
    type: allow

ldaps:

  - name: ldap
    host: ldaps_ip
    port: 636
    bind_dn: "cn=cn_name,ou=ou_Users,dc=mydomain,dc=co,dc=il"
    bind_password: "password"
    search_user_base_DN: "DC=mydomain,DC=co,DC=il"
    search_groups_base_DN: "DC=mydomain,DC=co,DC=il"
    ssl_enabled: true
    ssl_trust_all_certs: true
    user_id_attribute: "uid"
    unique_member_attribute: "uid"

In the log I see:
[INFO ][o.e.p.r.e.IndexLevelActionFilter] [] forbidden request: { ID:, TYP:GetRequest, USR:, BRS:false, ACT:indices:data/read/get, OA:, IDX:.kibana, MET:GET, PTH:/.kibana/config/5.4.3, CNT:<OMITTED, LENGTH=0>, HDR:authorization,Connection,Content-Length,Host, HIS:[::KIBANA-SRV::->[auth_key->false]], [Accept requests from users in group DBA on all indexes->[ldap_authorization->false]] } Reason: null (null)

In the _access.log:
[INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ^[[31m no block has matched, forbidding by default: { ID:, TYP:GetRequest, USR:, BRS:false, ACT:indices:data/read/get, OA:, IDX:.kibana, MET:GET, PTH:/.kibana/config/5.4.3, CNT:<OMITTED, LENGTH=0>, HDR:authorization,Connection,Content-Length,Host, HIS:[::KIBANA-SRV::->[auth_key->false]], [Accept requests from users in group on all indexes->[ldap_authorization->false]] }^[[0m

The kibana server dont have access to the domain so I can’t configure the hostname only the IP of the host, maybe this is the problem?


(Simone Scarduzio) #2

The LDAP authorization is not going well. To see what’s wrong, set rootLogger.level = debug in config/log4j2.properties.


(Talia) #3

I dont understand how, didnt do anything,but now it works

Talia


(Simone Scarduzio) #4

Can’t decide if this is this good or bad :laughing:


(Talia) #5

:grinning:

If I have logstash installed? Do I need to configure something in the elasticsearch.yml ?


(Simone Scarduzio) #6

You might want to give to logstash its own set of credentials and permissions as seen in here