LDAP group role mapping is not working

Hi,
We have integrated LDAP into our platform, and our target is to map the different roles we create under the security plugin to the “LDAP groups”.
We have used the following config for authorization.

image

Once the role is created through Kibana, we are mapping LDAP group to that role as below under “External identities” by giving LDAP group name (Here “G3” is the LDAP group present in ou=Group,dc=***,dc=com)

image
But this is not working, as the user in the group G3 is unable to login to kibana, it says “No available tenant for the current user, please reach out to your system administrator”


Thanks,
Vikas

Vikas, Are you mapping these users to kibana_user role? (To be able to use kibana)

Yes @Anthony, I’m able to map roles to LDAP users. Issue got resolved after configuring rolesearch, rolebase and userroleattribute.

1 Like

Hello I have this same problem. What I do not get is I mapped an ldap user as an external identity to the all access role in Kibana the same as the internal user admin and I do not have permissions in Kibana or in Elasticsearch via curl requests when I try curl -XGET https://localhost:9200 -u admin:admin -k I get the normal expected output but when I try curl -XGET https://localhost:9200 -u ldapuser:password -k I get the error {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:"no permissions for [cluster:monitor/main] and User [name=ldap user

It seems you made changes to the authz section of your config file, could you share an example? I can map internal users to roles but the ldap users do not seem to map even when configured to in role mappings it is like the config gets ignored for ldap users.

Are you trying to map LDAP groups ? Is role mapping working if you map Individual LDAP user?
below is the role mapping config i’ve used in authz section.
rolebase: “o=organization”
rolesearch: “(Role={0})”
userroleattribute: “Role”
userrolename: “Role”
rolename: “cn”
resolve_nested_roles: false
usersearch: “(uid={0})”
username_attribute: “uid”

Hello thank you, I cannot seem to map a ldap role or group but I can map internal users to roles just fine
here is my authz
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- “dc01.tailspintoys.net:389
bind_dn: “CN=Elasticsearch Test,CN=Users,DC=tailspintoys,DC=net”
password: “Temp2121”
rolebase: “CN=groupname,OU=ouname,OU=Groups,OU=anotherOU,DC=tailspintoys,DC=net”
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- kibanaserver
- admin
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’

How can i set the role base to an OU with hierarchy so many groups fall under it? Or can I just map to a group like say I create an AD group and name it elasticsearch admins and map to that? I really just want an ad user our group to have the same permissions as the built in admin user.

This is just confusing the documentation does not goin into the roles and role mappings as well. I can see that elasticsearch is talking to my ldap server but I cannot map an ldap user or group to the all access role like the internal admin.

@ghostintheESXi Did you get this resolved?
If not can you elaborate on the current structure of ldap groups? I will try to reproduce and send you the config.yml when ready