Ldap Authorization failure

Hello Team,

I would like to Integrate search guard with LDAP, I able to authenticate users in searchguard but unable to authorize with the roles I have configured in the LDAP. I don’t see any errors in the logs.

Here is the scenario that I am trying to achieve.

I have two roles configured in my LDAP.

Level1 - Users under this role should have access to only perticular indexes.

Level2 - Users under this role should have access to all the indexes.

Below is the maping that I have specified in the sg_roles_mapping.yml

globalrole:

backend_role:

  • ‘Level1’

  • ‘cn=globalrole,dc=test,dc=com’

hosts:

  • xxx.xxx.x.xx:xxx

Below is the configuration that I have specified in the sg_roles.yml

globalrole:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘abc*’:

‘*’:

  • CRUD

‘xyz’:

‘*’:

  • READ

‘?kibana’:

‘*’:

  • ALL

Also attaching the LDAP configurationt that I have specified in sg_config.yml

Please suggest me where I am going wrong.

Thanks

Swamy

LDAP config (1.5 KB)

Hello Team,

Please let me know if you have any updates on my issue.

we are already working on it ...

···

Am 11.07.2017 um 17:21 schrieb Swamy Karampuri <swamykarampuri610@gmail.com>:

Hello Team,

Please let me know if you have any updates on my issue.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4c3a8a83-ce6a-40a0-81ec-5076902efb14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

pls. send you complete sg_role.yml and sg_roles_mapping.yml (as attachments)
Seems like you yml is not indented correctly.

How does the DN for your Level1 role look like?

···

On Tuesday, 11 July 2017 17:21:14 UTC+2, Swamy Karampuri wrote:

Hello Team,

Please let me know if you have any updates on my issue.

Hello Team,

Here i am attaching sg_config.yml ,sg_roles_mapping.yml and sg_roles.yml.

please suggest me where i am going wrong.

Thanks,

swamy

sg_config.yml (7.31 KB)

sg_roles.yml (5.25 KB)

sg_roles_mapping.yml (1.29 KB)

your sg_roles_mapping.yml contains invalid yml (see http://www.yamllint.com)

···

Am 12.07.2017 um 10:28 schrieb Swamy Karampuri <swamykarampuri610@gmail.com>:

Hello Team,

Here i am attaching sg_config.yml ,sg_roles_mapping.yml and sg_roles.yml.

please suggest me where i am going wrong.

Thanks,
swamy

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9b651396-76b4-4743-8628-3c32fdd91a02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<sg_config.yml><sg_roles.yml><sg_roles_mapping.yml>

Hello Team,

I have checked for the yml syntax, i able login with that group users but unable to view all and limited indexes based on role group.

I have two roles configured in my LDAP.

xxx - Users under this role should have access to only perticular indexes.

yyy - Users under this role should have access to all the indexes.

Here i am attaching my sg_roles_mapping.yml

please suggest me where i am missing.

Thank you

Swamy

sg_roles_mapping.yml (899 Bytes)

Hello Team,

Please let me know if you have any updates on my issue.

Thanks,

Swamy

Have you checked all your config files for valid yaml? Also the sg_config.yml you posted is invalid.

Then in sg_config.yml you set the challenge flag to true for both the ldap and the basic_internal_auth_domain domain. You can only have one challenging authenticator.

What is your use case here, do you use Kibana?

Next, with your current config, please access ES directly, and log in with one of your LDAP users when the HTTP basic dialogue pops up. Then, access the authinfo endpoint which prints out information about the currently logged in user, including the roles:

/_searchguard/authinfo

Pls. post the output here.

···

On Monday, July 17, 2017 at 11:49:26 AM UTC+2, Swamy Karampuri wrote:

Hello Team,

Please let me know if you have any updates on my issue.

Thanks,

Swamy