Unmapped groups as role

Security
1

I’m using LDAP authentication and authorization, and I want that users that didn’t match any LDAP group assigned to a role, for example - kibana_read_only role. How to implement it?
Thanks.

2

@ogulman would creating a role called all_users and mapping to all users not give you what you are looking for? As the permissions are combined at execution of query.

3

Hi Antony, it’s not relevant since in the new version of odfe the user isn’t allowed to login in case if he is not a member of any groups.
Thanks

4

Hi Ogulman, I’m not sure which version you have tested with, but I just tried new user not assigned to any group with ldap on 1.13.1 and 1.12, and in both cases the behaviour is as expected, the user is mapped only to “own_index” if no other mapping was used, or also mapped to any role that was marked as users: * in role_mappings.yml, see my config below:

authc:
  ldap:
      description: "Authenticate via LDAP or Active Directory"
      http_enabled: true
      transport_enabled: false
      order: 5
      http_authenticator:
        type: basic
        challenge: true
      authentication_backend:
        type: ldap
        config:
          enable_ssl: false
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: false
          hosts:
            - <ldap_ip>
          bind_dn: <...>
          password: <...>
          userbase: 'cn=Users,dc=local,dc=local'
          username_attribute: "sAMAccountName"
          usersearch: '(sAMAccountName={0})'
authz:    
    roles_from_myldap:
      description: "Authorize via LDAP or Active Directory"
      http_enabled: true
      transport_enabled: false
      authorization_backend:
        type: ldap
        config:
          enable_ssl: false
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: false
          hosts:
            - <ldap_ip>
          bind_dn: <...>  
          password: <...>
          rolebase: 'ou=GroupsNew,dc=local,dc=local'
          rolesearch: '(member={0})'
          userroleattribute: null
          userrolename: disabled
          resolve_nested_roles: false
          userbase: 'cn=Users,dc=local,dc=local'
          usersearch: '(sAMAccountName={0})'
5

Thank Antony, as I said previously it’s not relevant in the current version.
In the old version 0.7 or 0.8 it was an issue when a user which it’s not a member of any LDAP group was able to login.