Hello ,
I configured ldap authentication in searchguard config (sg_config.yml) by setting authc(authetication), authz(authorizaton ) to ldap .
I noticed a major deteriration in performance and sometimes elasticsearch breaks .
What I’m trying to configure is to have authentication from ldap and authorization from internal which is possible as I understood in the documentation
My question : as kibana is used by more than 150 persons , is it possible to set up a configuration where authc is ldap and authrization is readonly for every new and old user without specifying any name in the internal database ?
this is a snapshot of sg_config.yml ( btw Im using sg5)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- xxxxx
bind_dn: 'xxx'
password: 'xxx'
userbase: 'xxx'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: sAMAccountName
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: intern ???