0

I installed Openldap and created one user by following this documentation https://help.ubuntu.com/lts/serverguide/openldap-server.html.

OpenLDAP is working fine.

I also configured LDAP authentication on Open Distro for Elasticsearch (debian package) by referring to this documentation https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/ldap/

I want login to kibana from my custom ldap user. So, I followed this documentation https://aws.amazon.com/blogs/opensource/ldap-integration-for-open-distro-for-elasticsearch/. But, still I am unable to login with my custom ldap user into my kibana.

This is my .ldif file :

dn: ou=People,dc=server,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=server,dc=com
objectClass: organizationalUnit
ou: Groups

dn: cn=miners,ou=Groups,dc=server,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000

dn: uid=john,ou=People,dc=server,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john

This is my config.yml file for ldap:

 ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: true
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
             - server.com:389
             - localhost:389
            bind_dn: 'uid=John,ou=People,dc=server,dc=com'
            password: "johnldap"
            userbase: 'ou=people,dc=server,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: 'uid'
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
             - server.com:389
             - localhost:389
            bind_dn: 'uid=John,ou=People,dc=server,dc=com'
            password: "johnldap"
            rolebase: 'ou=People,dc=server,dc=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: disabled
            #userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'ou=People,dc=server,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'
            # Skip users matching a user name, a wildcard or a regex pattern
            #skip_users:
            #  - 'cn=Michael Jackson,ou*people,o=TEST'
            #  - '/\S*/'
      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap

What am I missing ?

Orest Gulman
  • 422
  • 1
  • 8
  • 25
Nandhu Nandini
  • 19
  • 5
  • What version Open Distro you are using?, Docker or RPM?, Please, provide logs OpenLDAP/Elasticsearch during logins. – Orest Gulman Oct 22 '19 at 08:20
  • I installed latest version opendsitro with debian package.I was getting an error like [2019-10-24T11:20:25,817][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [server.com] Unable to connect to ldapserver server.com:389 due to [org.ldaptive.provider.ConnectionException@865075758::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, – Nandhu Nandini Oct 24 '19 at 05:55
  • @NandhuNandini may I ask you where did you find these logs? Thanks in advance – Vitor Carvalho Mar 18 '21 at 14:41

0 Answers0