LDAP/AD authentication

Need help to setup authentication for Kibana.
**Elasticsearch version: 6.8.6

**Server OS version: REHL 7

**Kibana version (if relevant): 6.8.6

**Describe the issue: Need to setup LDAP/AD/SAML for Kibana authentication. We have TLS and JWT authentication setup already for Elasticsearch. Kibana authentication is basic with self signed certs. Please let me know any suggestions or documentation.

@geetha SearchGuard 25.5 (ES 6.8.6) is EOL, I would recommend to upgrade to a newer version.

The documentation for LDAP and SAML

Hope this helps

Thank you for the reply. I did setup LDAP/AD with in the documentation which you have provided. but still Kibana is authenticating with self signed certs. is there any other changes I should make in the kibana.yml file? can you please share any other information where I need to change other congig files. I am looking for only Kibana authentication with LDAP/AD not Elasticsearch.

Thanks,
Geetha

Hi @geetha
I’m not fully following your question.

Can you please elaborate on the current behaviour and the expected behaviour.

Also could you please retrieve currently security config from security index using command below and provide these (redact any sensitive details)

./sgadmin.sh -icl -key .../config/kirk-key.pem -cert .../config/kirk.pem -cacert .../config/root-ca.pem -nhnv -r

Also, kibana.yml config please

I have taken out all teh sensitive information. Kibana authentication is working completly fine with self signed certs. After enabling Ldap still it is signing with certs not with LDAP integration. I am getting error as "Authentication finally failed: when I test it with sudo curl -Ss -k “https://host:9200/_cluster/health

kibana.yml
server.port: 5601
server.host: “hostcom”
server.name: “host.com

elasticsearch.url: “https://eshost.com:9200

elasticsearch.preserveHost: true

kibana.index: “.kibana”

searchguard.basicauth.enabled: false
searchguard.cookie.name: searchguard_authentication
searchguard.cookie.secure: true

elasticsearch.requestHeadersWhitelist: [“Authorization”, “sgtenant”, “x-forwarded-for”, “x-forwarded-by” ]
elasticsearch.username: user
elasticsearch.password: pw

elasticsearch.ssl.alwaysPresentCertificate: true
searchguard.allow_client_certificates: true

server.ssl.enabled: true
server.ssl.certificate: keystore.pem
server.ssl.key: key.pem

elasticsearch.ssl.certificateAuthorities: “cert.pem”

elasticsearch.ssl.verificationMode: none

elasticsearch.ssl.certificate: cert.pem

elasticsearch.ssl.key: key.pem

logging.dest: /var/log/kibana/kibana.log

logging.verbose: true


/sg_config.yml

searchguard:
dynamic:
kibana:
do_not_fail_on_forbidden: true
license: “LS”
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: "."
remoteIpHeader: “x-forwarded-for”
proxiesHeader: “x-forwarded-by”
authc:
jwt_auth_domain:
enabled: true
order: 0
http_authenticator:
type: “jwt”
challenge: false
config:
signing_key: “MI”
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: “scope”
subject_key: “user_name”
authentication_backend:
type: “noop”
jwt_auth_domain_app:
enabled: true
order: 1
http_authenticator:
type: “jwt”
challenge: false
config:
signing_key: “MI”
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: “scope”
subject_key: “client_id”
authentication_backend:
type: “noop”
ldap:
http_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ldap.com:636
bind_dn: CN=cn,OU=Users,OU=Fun,OU=myou,DC=mygroup,DC=com
password: pw
userbase: OU=myou,DC=mygroup,DC=com
usersearch: ‘(member={0})’
username_attribute: memberof
rolebase: DC=mygroup,DC=com
rolesearch: (&(objectClass=groupOfNames)(cn=
{0}))
userroleattribute: null
userrolename: memberof
rolename: group
resolve_nested_roles: true
authz:
ldap:
enabled: true
autherization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ldap.com:636
bind_dn: CN=cn,OU=Users,OU=Fun,OU=myou,DC=mygroup,DC=com
password: pw
userbase: [“OU=myou,DC=mygroup,DC=com”]
usersearch: ‘(memberof={0})’
username_attribute: memberof
rolebase: OU=myou,DC=mygroup,DC=com
rolesearch: (&(objectClass=groupOfNames)(cn=
{0}*))
userroleattribute: null
userrolename: memebrof
rolename: groupof
resolve_nested_roles: true

@geetha

Can you remove below line from kibana.yml?

searchguard.basicauth.enabled: false

I see in kibana.yml you are using both basic auth and cert

elasticsearch.username: user
elasticsearch.password: pw

and

elasticsearch.ssl.certificate: cert.pem
elasticsearch.ssl.key: key.pem

You should choose one method, also in sg_config.yml the cert_auth is not enabled, therefore I’m not sure how your kibana is authenticating via certs.

I think there is some confusion around how ldap calls work.

Kibana can authenticate with basic auth (ldap) or cert, although basic auth is highly recommended as it might be challenging to extract user from ldap, as certificate provided from kibana has its own user assigned.

Therefore the sg_config.yml file, should have just basic_auth and ldap enabled (I noticed you also have 2 domains enabled for JWT - are these actually needed?)

If the above is configured the flow will be as follows:

Kibana authenticates with elasticsearch using ldap (username/password),

User accesses kibana and enters username and password, which are then queried against ldap, if successful the roles are retrieved via second call (authz) and user is able to navigate in kibana.

It is important to note that ldap authentication is on elasticsearch side, kibana is just a front end for users to enter details.

Is this the workflow that you are looking for?

Its a little complicated environment where we need both basic auth and certs should be enabled for a reason. yes JWT is used for something else. only thing I am looking for is Kibana should authenticate with LDAP and JWT is for other apps. I tried curl -Ss -k https://hostname:9200/_cluster/health and I am getting authentication failed or unauthorized when I adjust LDAP configuration.
Thanks for your response.

Thanks,
geetha

Hello SirHusky,

Thank you for your reply and giving us the suggestions. We are using certs to talk to Elasticsearch host from Kibana host. And username is using to authenticate Kibana as basic auth. We have tried without certs using basic auth didn’t work. That’s the reason we are using both “basic auth” and “certs”. I am trying to get LDAP integration as first step to test with curl -Ss -k “hostname:9200/_cluster/health” which is failing as authentication and sometimes error message as unauthorized. Is there any other configuration changes to be made on sg_config.yml file. Once I get first step setup then will go back to Kibana and adjust kibana configuration file to get LDAP authentication. Please let me know if you have any other questions.

Thanks,

Geetha

Hi Geetha,
The basic auth is disabled according to your sg_config.yml, therefore kibana would not be able to authenticate via basic auth, unless by basic auth you mean LDAP.
The username and password that you are supplying under elasticsearch.username and password, is that user present in LDAP? Or do you want to use built in user database that comes with Search Guard plugin, in which case you will need to enable basic_auth in sg_config.yml. The default kibana username and password is kibanaserver/kibanaserver. If you changed the username, you will need to map it to the SGS_KIBANA_SERVER role via sg_roles_mappings.yml file and upload config via sgadmin.sh script.

The curl command you are using doesn’t provide any user credentials therefore there is no reason why it would be Authorised. You would need to supply -u {username}:{password} (of user present in LDAP - since basic auth is disabled).

I think the best way forward is to remove LDAP entirely for the time being and get kibana to connect using basic auth (without using certificate). Once that is working as expect, it should be straight forward to add LDAP integration.

I can guide you through this process if you want to proceed?

Sure, Thank you so much for your input. sorry my bad I was passing my id and pw along with curl command. yes we are using custom kibana user and I did map this to sg_roles_mappings.yml. I would like to work with you to solve this issue. are you working with SAS support? is it possible for us to schedule a call and work on it?

Thanks,
Geetha

Is there anyway we can use certs to communicate with kibana and elasticsearch hosts and kibana authentication is with AD?