Ldap authentication,internal authorization

moka · November 18, 2020, 1:30pm

Hello ,

I configured ldap authentication in searchguard config (sg_config.yml) by setting authc(authetication), authz(authorizaton ) to ldap .
I noticed a major deteriration in performance and sometimes elasticsearch breaks .
What I’m trying to configure is to have authentication from ldap and authorization from internal which is possible as I understood in the documentation
My question : as kibana is used by more than 150 persons , is it possible to set up a configuration where authc is ldap and authrization is readonly for every new and old user without specifying any name in the internal database ?
this is a snapshot of sg_config.yml ( btw Im using sg5)

     type: ldap # NOT FREE FOR COMMERCIAL USE
      config:
        # enable ldaps
        enable_ssl: false
        # enable start tls, enable_ssl should be false
        enable_start_tls: false
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: false
        hosts:
          - xxxxx
        bind_dn: 'xxx'
        password: 'xxx'
        userbase: 'xxx'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(sAMAccountName={0})'
        # Use this attribute from the user as username (if not set then DN is used)
        username_attribute: sAMAccountName
authz:
  roles_from_myldap:
    enabled: true
    authorization_backend:
      type: intern  ???

jkressin · November 18, 2020, 1:41pm

Using the internal user DB for authorizations was added in SG6-23.0 and thus is not available for Search Guard 5: https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-23_0

What use case are you trying to implement exactly? If I understood your question correctly, you want to assign backend roles from the internal DB to all users, new and old, and independent from their LDAP groups, right?

If this is the case, can’t you simply define a role mapping that applies to all users (you can use wildcards in role mapping entries) and thus assigns one or more Search Guard roles to all users?

moka · November 18, 2020, 1:57pm

Thank you for your reply .

As I read in the SG5 documentation :
In most cases, you want to configure both authentication and authorization, however, it is also possible to use authentication only and map the users retrieved from LDAP directly to Search Guard roles. This can be done in the sg_roles_mappig.yml configuration.

How I can implement this in sg_config ?

jkressin · November 20, 2020, 11:48am

First, in sg_config.yml, simply remove the authorization section. Then, use the sg_roles_mapping.yml to map your LDAP users to Search Guard roles:

If you want to assign the same role(s) to all LDAP users, use a wildcard for the mapping like:

sg_role_name:
  users:
    - *

Since in your LDAP config you use the sAMAccount as username:

username_attribute: sAMAccountName

you can use it also in the roles mapping like:

sg_role_name:
  users:
    - user1
    - user2
    - ...

moka · November 19, 2020, 9:31am

Works like a charm . Dashboards loading is a lot faster .
It would have been great if there’s like a diagram to explain graphically the flow between all config files.