This should now be fixed with version 4 of the multitenancy module
Relates https://github.com/floragunncom/search-guard-kibana-plugin/issues/34
···
On Monday, 10 July 2017 16:56:16 UTC+2, Brian Sanders wrote:
I am testing out the LDAP authentication module with Kibana multi tenancy to see if this will fit our needs, and I am having some strange login issues. I believe I have configured it as described in the example documentation, but the FIRST time I attempt to log in I always end up at the 500 internal server error. If I attempt to log in a few more times, eventually it works and seems to keep working for a bit. I have also logged in and then seen this issue when switching tenants. After logging back in a second time everything works including switching.
I don’t really know how to proceed troubleshooting this, but I can’t demo this to anyone and expect them to want me to take this live to production if LDAP is flaky.
I am still using the basic_internal_auth, since I don’t want to add a kibanaserver or logstash user to my LDAP directory, and would prefer those just be in the local database. Authz is being done by mapping users to rolls, which does work once I am logged in.
Here is the relevant section from my sg_config.yml
searchguard:
dynamic:
kibana:
multitenancy_enabled: true
server_username: “kibanaserver”
index: ‘.kibana’
http:
anonymous_auth_enabled: false
xff:
enabled: false
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
authc:
basic_internal_auth_domain:
enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
ldap:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
config:
enable_ssl: false
enable_start_tls: true
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
bind_dn: ‘uid=admin,cn=users,cn=accounts,dc=example,dc=com’
password: ‘FAKEPASS’
userbase: ‘cn=users,cn=accounts,dc=example,dc=com’
usersearch: ‘(uid={0})’
username_attribute: uid
skip_users:
- kibanaserver
- logstash