WAZUH LDAP Integration
146 views
Skip to first unread message
Kobus Bensch
Mar 6, 2024, 8:05:51 AM3/6/24
to Wazuh | Mailing List
Hi All
I have searched and tried various configuration, but I am just missing something to get the LDAP group permissions working.
authc config:
ldap:
description: "Authenticate via LDAP"
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ipa-ca.ldap.com:636
bind_dn: uid=ldapsystembind,cn=sysaccounts,cn=etc,dc=ldap,dc=com
password: 'password'
userbase: 'cn=users,cn=accounts,dc=ldap,dc=com'
usersearch: '(uid={0})'
username_attribute: uid
description: "Authenticate via LDAP"
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ipa-ca.ldap.com:636
bind_dn: uid=ldapsystembind,cn=sysaccounts,cn=etc,dc=ldap,dc=com
password: 'password'
userbase: 'cn=users,cn=accounts,dc=ldap,dc=com'
usersearch: '(uid={0})'
username_attribute: uid
authz:
roles_from_myldap:
description: "Authorize via LDAP"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ipa-ca.ldap.com:636
bind_dn: uid=ldapsystembind,cn=sysaccounts,cn=etc,dc=ldap,dc=com
password: 'password'
rolebase: 'cn=groups,cn=accounts,dc=ldap,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(memberOf={0})'
#rolesearch: '(memberOf={2})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: uid
# Roles as an attribute of the user entry
userrolename: memberOf
rolename: uid
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
#userbase: 'cn=users,cn=accounts,dc=ldap,dc=com'
userbase: 'dc=ldap,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- admin
- kibanaserver
roles_from_myldap:
description: "Authorize via LDAP"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ipa-ca.ldap.com:636
bind_dn: uid=ldapsystembind,cn=sysaccounts,cn=etc,dc=ldap,dc=com
password: 'password'
rolebase: 'cn=groups,cn=accounts,dc=ldap,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(memberOf={0})'
#rolesearch: '(memberOf={2})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: uid
# Roles as an attribute of the user entry
userrolename: memberOf
rolename: uid
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
#userbase: 'cn=users,cn=accounts,dc=ldap,dc=com'
userbase: 'dc=ldap,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- admin
- kibanaserver
In the authz I have tried both of these:
rolesearch: '(memberOf={0})'
#rolesearch: '(memberOf={2})'
#rolesearch: '(memberOf={2})'
and also these:
#userbase: 'cn=users,cn=accounts,dc=ldap,dc=com'
userbase: 'dc=ldap,dc=com'
userbase: 'dc=ldap,dc=com'
In /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
I have tried both of these:
run_as: false
run_as: true
With the true I also setup the rule sin the Rolemapping in the UI
In /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
i tried both of these:
all_access:
reserved: false
hidden: false
backend_roles:
- "admin"
- "wazuhadmingroup"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
reserved: false
hidden: false
backend_roles:
- "admin"
- "wazuhadmingroup"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
AND
With this config I am able to login as the user specified under users, but anybody in the wazuhadmingroup get access denied.
all_access:
reserved: false
hidden: false
backend_roles:
- "admin"
- "wazuhadmingroup"
hosts: []
users:
- "kobus"
and_backend_roles: []
description: "Maps admin to all_access"
reserved: false
hidden: false
backend_roles:
- "admin"
- "wazuhadmingroup"
hosts: []
users:
- "kobus"
and_backend_roles: []
description: "Maps admin to all_access"
From these, can anybody tell me what I missed. I have been through the LDAP doc integration numerous times now but just cant find where I have gone wrong.
Thank you
Kobus
Luciano Gorza
Mar 7, 2024, 7:56:28 AM3/7/24
to Wazuh | Mailing List
Hi Kobus,
I understand that you have been able to authenticate, but then you encounter a permissions error.
I understand that you have been able to authenticate, but then you encounter a permissions error.
Could you try changing the "rolesearch" configuration in "authz" with the value '(member={0})'? This value depends on the LDAP schema.
Additionally, could you attach a screenshot with the error?
Thanks!
Kobus Bensch
Mar 7, 2024, 9:07:05 AM3/7/24
to wa...@googlegroups.com
Thank you for the reply.
I have changed as suggested and this is what I see:
And this is what the rolemapping looks like:
all_access:
reserved: false
hidden: false
backend_roles:
- "admin"
- "wazuhadmingroup"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
If I add the users in the section users, then I am able to login with LDAP+OTP.
Kobus
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7i-h5cGtCy4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/03f11f88-9f19-4618-a143-57bba042f768n%40googlegroups.com.
--
Luciano Gorza
Mar 8, 2024, 9:37:11 AM3/8/24
to Wazuh | Mailing List
Certainly, it is an issue with the reading or mapping of LDAP roles. Please, if you have access to the LDAP configuration, could you review the configuration of these fields?
- rolebase
- rolesearch
- userroleattribute
- userrolename
- rolename
- resolve_nested_roles
Reply all
Reply to author
Forward
0 new messages