OpenDistro Kibana Login Allowing any login

My Elasticsearch Security plugin seems to be working properly. It only allows users from my external LDAP, or my defined Admin, and it does proper password authorization.

The issue is with my Kibana Opendistro setup. I can type any username and password and it will always logs me in as the credentials saved in my elasticsearch.yml file under
opendistro_security.authcz.admin_dn

Has anyone ran into this issue before? Is this caused by some mismatch in my configuration files?

For anyone else that faces this:

I resolved this by swapping my
opendistro_security.authcz.admin_dn:
and
opendistro_security.nodes_dn:

fields in elasticsearch.yml and the corresponding certs. I think the issue was that the DN under admin_dn used to match my Elasticsearch URL

Hi @misiakj,

I need some help in configuring LDAP Authentication for Kibana UI as I am not able to.
Currently, I am login using internal user database on kibana UI.

NOTE:
I have setup LDAP authentication for Opendistro ElasticSearch.
I have setup the same for Logstash.

What problem are you currently facing?
What does your current configuration look like?

  1. Problem is unable to login via ldap user credential.
  2. Configuration are as followed.
    KIBANA CONF:

cat kibana.yml

Copyright <2019> Amazon.com, Inc. or its affiliates. All Rights Reserved.

#######
####### Licensed under the Apache License, Version 2.0 (the “License”).
####### You may not use this file except in compliance with the License.
####### A copy of the License is located at
#######
####### http://www.apache.org/licenses/LICENSE-2.0

####### or in the “license” file accompanying this file. This file is distributed
####### on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
####### express or implied. See the License for the specific language governing
####### permissions and limitations under the License.

####### Release Note:
####### Default Kibana configuration for Open Distro.

#######elasticsearch.url: https://exped03.ser01-dc.com:9200
elasticsearch.hosts: [“https://exped02.ser01-dc.com:9200”]
elasticsearch.ssl.certificateAuthorities: /etc/kibana/rootCA.crt
elasticsearch.ssl.verificationMode: full
elasticsearch.username: kibanaserver
elasticsearch.password: xxxxxxxxxxxxxxx
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]

###########CUSTOM CONFIGS##############

logging.dest: /var/log/kibana/kibana.stdout
#######logging.verbose: true

####### Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

####### Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
####### The default is ‘localhost’, which usually means remote machines will not be able to connect.
####### To allow connections from remote users, set this parameter to a non-loopback address.
server.host: exped02.ser01-dc.com

####### Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
####### These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana.crt
server.ssl.key: /etc/kibana/kibana.key
#######server.ssl.redirectHttpFromPort: 5602

I see a couple of small differences between your kibana.yml and mine, but I doubt it’s the cause of the issue.
You have
elasticsearch.ssl.verificationMode: full
Vs. I have
elasticsearch.ssl.verificationMode: none
and you’re missing
opendistro_security.auth.type: "basicauth"

It seems likely/possible that your issue exists either in your elasticsearch.yml or your config.yml files.

In elasticsearch.yml do you have configs for both
opendistro_security.authcz.admin_dn:
and
opendistro_security.nodes_dn:
?

In config.yml have you setup your kibana: settings?

Finally, when you try to login through Kibana do you see a specific error/unexpected functionality?
You said that LDAP login is working when you directly access the Elasticsearch cluster so I’ll assume that your LDAP configs are correct.

Issue resolved as found there was no backed roles mapped to user.