I’m using LDAP authentication and authorization, and I want that users that didn’t match any LDAP group assigned to a role, for example - kibana_read_only role. How to implement it?
Thanks.
@ogulman would creating a role called all_users and mapping to all users not give you what you are looking for? As the permissions are combined at execution of query.
Hi Antony, it’s not relevant since in the new version of odfe the user isn’t allowed to login in case if he is not a member of any groups.
Thanks
Hi Ogulman, I’m not sure which version you have tested with, but I just tried new user not assigned to any group with ldap on 1.13.1 and 1.12, and in both cases the behaviour is as expected, the user is mapped only to “own_index” if no other mapping was used, or also mapped to any role that was marked as users: * in role_mappings.yml, see my config below:
authc:
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- <ldap_ip>
bind_dn: <...>
password: <...>
userbase: 'cn=Users,dc=local,dc=local'
username_attribute: "sAMAccountName"
usersearch: '(sAMAccountName={0})'
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- <ldap_ip>
bind_dn: <...>
password: <...>
rolebase: 'ou=GroupsNew,dc=local,dc=local'
rolesearch: '(member={0})'
userroleattribute: null
userrolename: disabled
resolve_nested_roles: false
userbase: 'cn=Users,dc=local,dc=local'
usersearch: '(sAMAccountName={0})'
Thank Antony, as I said previously it’s not relevant in the current version.
In the old version 0.7 or 0.8 it was an issue when a user which it’s not a member of any LDAP group was able to login.