Unable to login kibana with ldap user

Search Guard
1

Hi,

I having some issues with logging ldap users into kibana with the current searchguard version. 7.3.

Can anyone highlight is there is any missing setting or config that I miss out in the role mapping or the sg_role yml files.

I able to get the result from curl command:

Curl -Ss -k -u [ldap user] -XGET “https://xxxxx:9200/_cluster/_health

And

Curl -Ss -k -u [ldap user] -XGET “https://xxxxx:9200/_searchguard/license?pretty

Previously on searchguard 6.5.1, i able to login kibana successfully with the ldap users but with the new 7.3, some of things change on role mapping and role config file.

Been stuck on the these for few days

Hope any experts can enlighten me.

Thanks

2

How did you upgrade from 6.x to 7.x? Did you follow the upgrade instructions here?

I suspect there is something wrong with the role mapping. The configuration for LDAP did not change, so this should not be an issue.

Can you post your SG configuration files, and the ES log file during the (failing) login?

4

I experienced a similar issue after upgrading. 7.0 Upgrade assistant cluster issue needs to be resolved - #6 by mattsdevop

Here’s an example of what I had to make my admin role look like following the upgrade. You’ll need to modify your sg_roles.yml to include the following: (the tool did not do this automatically when upgraded):

Elk-Admins:
  reserved: true
  hidden: false
  description: "Migrated from v6 (all types mapped)"
  cluster_permissions:
  - "UNLIMITED"
  index_permissions:
  - index_patterns:
    - "*"
    dls: null
    fls: null
    masked_fields: null
    allowed_actions:
    - "UNLIMITED"
  tenant_permissions:
  - tenant_patterns:
    - "*"
    allowed_actions:
    - "UNLIMITED"
  - tenant_patterns:
    - "admin_tenant"
    allowed_actions:
    - "SGS_KIBANA_ALL_WRITE"
  static: false
1 Like
5

Hi mattsdevop,

Sorry for the late reply.

Thanks for the showing me the right way to the sg configuration.

Just to add on in the sg_role.yml

Elk-Admins:
reserved: true
hidden: false
description: “Migrated from v6 (all types mapped)”
cluster_permissions:

  • “UNLIMITED”
    index_permissions:

  • index_patterns:

    • "
      ** - "indices:monitor/      ”**
      ** - “indices: data/*”**

    dls: null
    fls: null
    masked_fields: null
    allowed_actions:

    • “UNLIMITED”
      tenant_permissions:

  • tenant_patterns:

    • “*”
      allowed_actions:
    • “UNLIMITED”

  • tenant_patterns:

    • “admin_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_WRITE”
      And the static: false prompt the error in version 7.3.

Hope the kibana guide for ldap configuration can be clearer for other users.

Thank you very much.

6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.