Ldap Security Roles

Hi guys , lately i’ve been using the LDAP connection feature and i’m facing some problems
so first of all i’ve managed to connect to the ldap server and login to kibana using my credentials and everything is okay , my problem is that every user that logs in using LDAP is assigned directly to the own_index predefined role .
so any idea how to change this ? i created another role but i don’t konw how to map the ldap users to this role ? any help or guidance would be appreciated .
thanks a lot
PS : i’m using the latest version of SG 49.0.0 with kibana 7.10.2

Hi. You can map Search Guard roles to LDAP groups, for example
sg_roles_mapping.yml

sg_role_name:
  backend_roles:
    - 'cn=ldaprole,ou=groups,dc=example,dc=com'

Or configure it via Kibana.

1 Like

Also, you can map the users directly to the SG roles

sg_role_name:
  users:
    - user1
    - user2
    - ...

if in the authc ldap config you have
sg_config.yml

        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(sAMAccountName={0})'
        # Use this attribute from the user as username (if not set then DN is used)
        username_attribute: sAMAccountName
1 Like

Thank you so much @srgbnd that’s what i’ve been looking for , i really appreciate the fact that you replied to my question and helped me , thank you for all the amazing features that you’re sharing with us :slight_smile:

1 Like

Hi @srgbnd i’ve managed to map the users directly to the SG roles , bu i’ve changed the

username_attribute: sAMAccountName

with

username_attribute: cn

so i can display the user name when the user is logged in kibana , but my problem is that i want the id behind that username so i can use that in use the variable ${user.name} in the DLS query , so far i’ve managed to do that using the username but not the id
Any idea how it should be done ?

Thanks in advance

Hi @HeiDri
Show me what attributes are available. You can execute the following command to see the available user attributes.

curl -k -u ldapuser:ldapuserpassword -X GET https://localhost:9200/_searchguard/authinfo?pretty

Also, post the DLS query you want to use.