LDAP group role mapping is not working

We have integrated LDAP into our platform, and our target is to map the different roles we create under the security plugin to the “LDAP groups”.
We have used the following config for authorization.


Once the role is created through Kibana, we are mapping LDAP group to that role as below under “External identities” by giving LDAP group name (Here “G3” is the LDAP group present in ou=Group,dc=***,dc=com)

But this is not working, as the user in the group G3 is unable to login to kibana, it says “No available tenant for the current user, please reach out to your system administrator”


Vikas, Are you mapping these users to kibana_user role? (To be able to use kibana)

Yes @Anthony, I’m able to map roles to LDAP users. Issue got resolved after configuring rolesearch, rolebase and userroleattribute.

1 Like

Hello I have this same problem. What I do not get is I mapped an ldap user as an external identity to the all access role in Kibana the same as the internal user admin and I do not have permissions in Kibana or in Elasticsearch via curl requests when I try curl -XGET https://localhost:9200 -u admin:admin -k I get the normal expected output but when I try curl -XGET https://localhost:9200 -u ldapuser:password -k I get the error {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:"no permissions for [cluster:monitor/main] and User [name=ldap user

It seems you made changes to the authz section of your config file, could you share an example? I can map internal users to roles but the ldap users do not seem to map even when configured to in role mappings it is like the config gets ignored for ldap users.

Are you trying to map LDAP groups ? Is role mapping working if you map Individual LDAP user?
below is the role mapping config i’ve used in authz section.
rolebase: “o=organization”
rolesearch: “(Role={0})”
userroleattribute: “Role”
userrolename: “Role”
rolename: “cn”
resolve_nested_roles: false
usersearch: “(uid={0})”
username_attribute: “uid”

Hello thank you, I cannot seem to map a ldap role or group but I can map internal users to roles just fine
here is my authz
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
- “dc01.tailspintoys.net:389
bind_dn: “CN=Elasticsearch Test,CN=Users,DC=tailspintoys,DC=net”
password: “Temp2121”
rolebase: “CN=groupname,OU=ouname,OU=Groups,OU=anotherOU,DC=tailspintoys,DC=net”
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
- kibanaserver
- admin
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S

How can i set the role base to an OU with hierarchy so many groups fall under it? Or can I just map to a group like say I create an AD group and name it elasticsearch admins and map to that? I really just want an ad user our group to have the same permissions as the built in admin user.

This is just confusing the documentation does not goin into the roles and role mappings as well. I can see that elasticsearch is talking to my ldap server but I cannot map an ldap user or group to the all access role like the internal admin.

@ghostintheESXi Did you get this resolved?
If not can you elaborate on the current structure of ldap groups? I will try to reproduce and send you the config.yml when ready

@vikasgurlinka @Anthony I am facing the same issue. I have LDAP configured in my opendistro and trying to provide the full cluster access to my individual LDAP user, however its not working.

I am able to login to KIbana UI using my LDAP user, but I don’t see “security” tab in the UI. I tried to create a role with full access in roles.yml and mapped it to my LDAP user in roles_mapping.yml, but its not working. Below is my roles.yml and roles_mapping.yml configuration.

reserved: true
- cluster_all
- index_patterns:
- “*”
- crud

reserved: true

  • “myldapuser”

I also tried using the same authz configuration as mentioned by Vikas, but still no luck.

@vikasgurlinka Could you please share the snippet from your roles.yaml, roles_mapping.yml and config.yml files where you have configured the access for LDAP user or LDAP group.

If you want the admin-role to have access to the security tab, you will need to add it to the restapi.roles_enabled list in elasticsearch.yml, like below:

opendistro_security.restapi.roles_enabled: [“all_access”, “admin-role”],

(restart of the node is needed for changes to take effect)

Hope this helps

Hi @Anthony

Thanks for your reply.

I tried adding the “admin-role” in elasticsearch.yml file as suggested and restarted the node, still I am not seeing security tab for my ldap user.

opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”, “admin-role”]

Are you sure the user gets mapped to admin-role?

Best way to check is running below curl, assigned roles will be listed in the output.

curl --insecure -u<username>:<password> -XGET "https://localhost:9200/_opendistro/_security/authinfo?pretty"