Ldap Security Roles

HeiDri · February 9, 2021, 5:19pm

Hi guys , lately i’ve been using the LDAP connection feature and i’m facing some problems
so first of all i’ve managed to connect to the ldap server and login to kibana using my credentials and everything is okay , my problem is that every user that logs in using LDAP is assigned directly to the own_index predefined role .
so any idea how to change this ? i created another role but i don’t konw how to map the ldap users to this role ? any help or guidance would be appreciated .
thanks a lot
PS : i’m using the latest version of SG 49.0.0 with kibana 7.10.2

srgbnd · February 10, 2021, 10:07am

Hi. You can map Search Guard roles to LDAP groups, for example
sg_roles_mapping.yml

sg_role_name:
  backend_roles:
    - 'cn=ldaprole,ou=groups,dc=example,dc=com'

Or configure it via Kibana.

srgbnd · February 10, 2021, 10:42am

Also, you can map the users directly to the SG roles

sg_role_name:
  users:
    - user1
    - user2
    - ...

if in the authc ldap config you have
sg_config.yml

        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(sAMAccountName={0})'
        # Use this attribute from the user as username (if not set then DN is used)
        username_attribute: sAMAccountName

HeiDri · February 12, 2021, 11:23am

Thank you so much @srgbnd that’s what i’ve been looking for , i really appreciate the fact that you replied to my question and helped me , thank you for all the amazing features that you’re sharing with us

HeiDri · February 17, 2021, 4:07pm

Hi @srgbnd i’ve managed to map the users directly to the SG roles , bu i’ve changed the

username_attribute: sAMAccountName

with

username_attribute: cn

so i can display the user name when the user is logged in kibana , but my problem is that i want the id behind that username so i can use that in use the variable ${user.name} in the DLS query , so far i’ve managed to do that using the username but not the id
Any idea how it should be done ?

Thanks in advance

srgbnd · February 18, 2021, 9:20am

Hi @HeiDri
Show me what attributes are available. You can execute the following command to see the available user attributes.

curl -k -u ldapuser:ldapuserpassword -X GET https://localhost:9200/_searchguard/authinfo?pretty

Also, post the DLS query you want to use.

system · March 11, 2021, 9:21am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ldap backend roles Search Guard	4	782	July 6, 2020
Mapping LDAP Roles Search Guard	7	1016	June 3, 2020
Ldap authentication,internal authorization Search Guard	5	594	December 10, 2020
Unable to login kibana with ldap user Search Guard	5	896	September 10, 2019
Unable to map ldap users to search guard roles. Search Guard	0	357	February 16, 2018

Ldap Security Roles

Related Topics