Attributes From LDAP Authorization

claudiobadii · May 5, 2020, 8:10am

Hello everybody,

the current situation is this: we have insatllarto OpenDistro 1.4.0 both the part of ElasticSearch and Kibana. We have correctly set the authentication with Keycloak which is done correctly and we receive all the data we need in JWT.

Some data, however, we have recorded them on LDAP and to do so we have inserted in AUTHZ the part related to LDAP since the guide specifies that:

By default, the Security plugin reads all LDAP user attributes and makes them available for index name variable substitution and DLS query variable substitution. If your LDAP entries have a lot of attributes, you might want to control which attributes should be made available. The fewer the attributes, the better the performance.

The problem is that the role fields arrive correctly, but not the attributes. If I map the attributes on the roles I can see them correctly but I can’t see the various attr.ldap if we call for example on the KIBANA console:

GET _opendistro/_security/api/account

Do you have any idea why the attributes aren’t coming in when LDAP is being authorized?

The current configuration is as follows:

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      openid_auth_domain:
        description: "Authenticate via Keycloak"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "openid"
          challenge: false
        config:
          subject_key: "preferred_username"
          roles_key: "roles"
          openid_connect_url: "keycloakUrl"
        authentication_backend:
          type: "noop"
    authz:
      organizationsFromldap:
        description: "Authorize via LDAP or Active Directory"
          http_enabled: true
          transport_enabled: true
          authorization_backend:
            type: "ldap"
            config:
              enable_ssl: false
              enable_start_tls: false
              enable_ssl_client_auth: false
              verify_hostnames: true
              hosts:
              -  "192.168.0.77:389"
              bind_dn: "cn=admin,dc=foo,dc=example,dc=org"
              password: "password"
              rolesearch_enabled: false
              userbase: "dc=foo,dc=example,dc=org"
             usersearch: "(cn={0})"
             username_attribute: "cn"
             custom_attr_whitelist:
             - "ou"
             - "uid"
            skip_users:
            - "kibanaserver"

Even removing or putting

custom_attr_whitelist:

nothing changes

Anthony · May 5, 2021, 2:19pm

@claudiobadii Did you manage to get this resolved? If not which version of ODFE are you using?

Topic		Replies	Views
LDAP add permissions (authorize) to data Security	5	2980	August 14, 2019
Users from internal db checked over LDAP Security	2	1865	July 12, 2019
Map LDAP Users to Admin Role Security	3	1737	April 30, 2021
LDAP "User Authenticated" but no OpenDashboards acess Security	3	283	September 21, 2022
LDAP backend roles (Authz) not working Security troubleshoot	10	541	April 18, 2023

Attributes From LDAP Authorization

Related Topics