Create role for only LDAP Users

Hi guys , i want to create a role using the kibana security plugin for only the ldap users to use and a backend role to access only dashboards for the ldap users , any idea what should i set in the users tab and the backend roles tab ?

Thanks in advance.

@HeiDri You would need to assign groups in ldap, using these groups you can map users directly to a role, In order to only be able to show dashboards and other kibana objects for subset of users you will need to create a new tenant, the role would need to have relevant permissions for this tenant. The dashboards (and any other kibana objects) would then need to be re/created on that tenant for other members of that role to view. There is no need to create any users individually in users tab. Hope this helps

1 Like

Hi @Anthony , thanks for the reply , i’ve managed to make the ldap connection work by configuring the config.yml file , but my problem here in configuring the role that would give acces to certain ldap group , beacuse right now the user is having only the own_index permission, can you share an example of your configuration if you don’t mind

@HeiDri so currently you are able to log in and get assigned a certain role based on group on ldap and just need to give the correct permissions for index and tenant? Or the roles are not assigned at login?

@Anthony yes when i login using my credentials the assigned role is own_index, by default any user from ldap connection is logged in and given the own_index role , i want to create a role for the ldap users so when any user log in automatically he will get this new created role

@HeiDri See my config.yml below (note some of the options are not necessary)

 authc:
  basic_internal_auth_domain:
    description: "Authenticate via HTTP Basic against internal users database"
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: intern
  ldap:
      description: "Authenticate via LDAP or Active Directory"
      http_enabled: true
      transport_enabled: false
      order: 2
      http_authenticator:
        type: basic
        challenge: true
      authentication_backend:
        type: ldap
        config:
          enable_ssl: false
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: false
          hosts:
            - <ldap_ip>:<ldap_port>
          bind_dn: <username>
          password: <password>
          userbase: 'cn=Users,dc=local,dc=local'
          username_attribute: "uid"
          usersearch: '(sAMAccountName={0})'
authz:    
    roles_from_myldap:
      description: "Authorize via LDAP or Active Directory"
      http_enabled: true
      transport_enabled: false
      authorization_backend:
        type: ldap
        config:
          enable_ssl: false
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: false
          hosts:
            - <ldap_ip>:<ldap_port>
          bind_dn: <username>  
          password: <password>
          rolebase: 'ou=GroupsNew,dc=local,dc=local'         
          rolesearch: '(member={0})'
          userroleattribute: null
          userrolename: disabled
          rolename: cn
          resolve_nested_roles: true
          userbase: 'cn=Users,dc=local,dc=local'
          usersearch: '(uid={0})'

on the ldap side I have my users defined in cn=Users and assigned to groups in ou=GroupsNew.

The users are then assigned the given group name (in my case ‘employees’), as a backend role, which is then mapped in role_mappings.yml file as below

testRole1:
   backend_roles:
       - employees

testRole1 is then defined in roles.yml file and gives access to testTenant.
This is assuming you have testTenant set up on tenants.yml file.