LDAP Integration with Wazuh Errors
149 views
Skip to first unread message
Pat Patrick
Jun 12, 2024, 3:14:31 PMJun 12
to Wazuh | Mailing List
I have been trying to work on an issue when implementing LDAP with on-prem AD in the Wazuh Community for some time now and am not getting closer to a resolution. I needed to have this integration completed by today due to the fact that I will be going off site EOD on Thursday and will no longer have access to the environment.
My issue from the beginning has been ERR: Unable to read type from file
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
ERR: Unable to read type from file
Today one of the support members stated that they thought it was a spacing issue in the config.yml file and provided a file to try and use. When this file was used it changed from not being able to read from file to not being in OpenSearch Security 7 format:
(Message shown below)
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
ERR: Seems /etc/wazuh-indexer/opensearch-security/config.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "description" (class org.opensearch.security.securityconf.impl.v7.ConfigV7), not marked as ignorable (one known property: "dynamic"])
at [Source: (String)"{"ldap":{"description":"Authenticate via LDAP or Active Directory","http_enabled":true,"transport_enabled":false,"order":5,"http_authenticator":{"type":"basic","challenge":false},"authentication_backend":{"type":"ldap","config":{"enable_ssl":true,"pemtrustedcas_filepath":"/etc/wazuh-indexer/opensearch-security/ldapcacert.pem","enable_start_tls":false,"enable_ssl_client_auth":false,"verify_hostnames":true,"hosts":["MSE-DC01.mse.net:636"],"bind_dn":"cn=wazuhadmin1,ou=Administrators,dc=MSE,dc=net","[truncated 3789 chars]; line: 1, column: 25] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["ldap"]->org.opensearch.security.securityconf.impl.v7.ConfigV7["description"])
ERR: cannot upload configuration, see errors above
Can some one PLEASE help me resolve this as it has been an ongoing issue for several weeks now with no progress?
Thank you for your assistance in advance!
Kind regards,
Pat
My issue from the beginning has been ERR: Unable to read type from file
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
ERR: Unable to read type from file
(Message shown below)
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
ERR: Seems /etc/wazuh-indexer/opensearch-security/config.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "description" (class org.opensearch.security.securityconf.impl.v7.ConfigV7), not marked as ignorable (one known property: "dynamic"])
at [Source: (String)"{"ldap":{"description":"Authenticate via LDAP or Active Directory","http_enabled":true,"transport_enabled":false,"order":5,"http_authenticator":{"type":"basic","challenge":false},"authentication_backend":{"type":"ldap","config":{"enable_ssl":true,"pemtrustedcas_filepath":"/etc/wazuh-indexer/opensearch-security/ldapcacert.pem","enable_start_tls":false,"enable_ssl_client_auth":false,"verify_hostnames":true,"hosts":["MSE-DC01.mse.net:636"],"bind_dn":"cn=wazuhadmin1,ou=Administrators,dc=MSE,dc=net","[truncated 3789 chars]; line: 1, column: 25] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["ldap"]->org.opensearch.security.securityconf.impl.v7.ConfigV7["description"])
ERR: cannot upload configuration, see errors above
Can some one PLEASE help me resolve this as it has been an ongoing issue for several weeks now with no progress?
Thank you for your assistance in advance!
Kind regards,
Pat
Mauricio Aguilar
Jun 12, 2024, 3:39:16 PMJun 12
to Wazuh | Mailing List
Hi!,
thanks for using Wazuh!
Please let me check this.
Which Wazuh version do you use?
Mauricio Aguilar
Jun 12, 2024, 3:49:03 PMJun 12
to Wazuh | Mailing List
/etc/wazuh-indexer/opensearch-security is a folder. Can you check his permissons?
ls -lha /etc/wazuh-indexer/opensearch-security
total 72K
drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Feb 29 19:11 .
total 72K
drwxr-x--- 2 wazuh-indexer wazuh-indexer 245 Feb 29 19:11 .
ls -lha /etc/wazuh-indexer/opensearch-security/config.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 9.9K Feb 29 13:10 /etc/wazuh-indexer/opensearch-security/config.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 9.9K Feb 29 13:10 /etc/wazuh-indexer/opensearch-security/config.yml
Mauricio Aguilar
Jun 12, 2024, 3:52:39 PMJun 12
to Wazuh | Mailing List
Please check too the values entered in the config.yml file, use quotes if you can, and try to discard symbols to find the error.
Pat Patrick
Jun 12, 2024, 3:56:51 PMJun 12
to Wazuh | Mailing List
We are currently running 4.7.4
Pat Patrick
Jun 12, 2024, 4:00:58 PMJun 12
to Wazuh | Mailing List
total 144K
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4.0K Jun 12 17:23 .
drwxr-x--- 10 wazuh-indexer wazuh-indexer 4.0K May 2 15:36 ..
-rw-r----- 1 wazuh-indexer wazuh-indexer 50 Apr 25 10:06 action_groups.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 2.0K Apr 25 10:06 allowlist.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 2.5K Apr 25 10:06 audit.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 12K Jun 12 17:23 config.yml
-rw-r----- 1 root root 12K Jun 11 17:55 config.yml.bak.06112024
-rw-r----- 1 root root 9.9K May 10 14:20 config.yml.bak.ldap
-rw-r----- 1 root root 12K Jun 6 14:36 config.yml.bak.ldap.06062024
-rw-r----- 1 root root 12K Jun 12 15:04 config.yml.bak.test
-rw-r--r-- 1 wazuh-indexer wazuh-indexer 1.2K May 2 15:36 internal_users.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 2.1K Jun 11 17:27 ldapcacert.pem
-rw-r----- 1 wazuh-indexer wazuh-indexer 154 Apr 25 10:06 nodes_dn.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 13K Apr 25 10:06 opensearch.yml.example
-rw-r--r-- 1 wazuh-indexer wazuh-indexer 1.2K May 10 16:51 roles_mapping.yml
-rw-r--r-- 1 root root 1.5K May 10 16:48 roles_mapping.yml.bak.ldap
-rw-r--r-- 1 wazuh-indexer wazuh-indexer 4.6K Apr 25 10:18 roles.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 170 Apr 25 10:06 tenants.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 12K Jun 12 15:02 test.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 2.0K Apr 25 10:06 whitelist.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 12K Jun 12 17:23 /etc/wazuh-indexer/opensearch-security/config.yml
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4.0K Jun 12 17:23 .
drwxr-x--- 10 wazuh-indexer wazuh-indexer 4.0K May 2 15:36 ..
-rw-r----- 1 wazuh-indexer wazuh-indexer 50 Apr 25 10:06 action_groups.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 2.0K Apr 25 10:06 allowlist.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 2.5K Apr 25 10:06 audit.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 12K Jun 12 17:23 config.yml
-rw-r----- 1 root root 12K Jun 11 17:55 config.yml.bak.06112024
-rw-r----- 1 root root 9.9K May 10 14:20 config.yml.bak.ldap
-rw-r----- 1 root root 12K Jun 6 14:36 config.yml.bak.ldap.06062024
-rw-r----- 1 root root 12K Jun 12 15:04 config.yml.bak.test
-rw-r--r-- 1 wazuh-indexer wazuh-indexer 1.2K May 2 15:36 internal_users.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 2.1K Jun 11 17:27 ldapcacert.pem
-rw-r----- 1 wazuh-indexer wazuh-indexer 154 Apr 25 10:06 nodes_dn.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 13K Apr 25 10:06 opensearch.yml.example
-rw-r--r-- 1 wazuh-indexer wazuh-indexer 1.2K May 10 16:51 roles_mapping.yml
-rw-r--r-- 1 root root 1.5K May 10 16:48 roles_mapping.yml.bak.ldap
-rw-r--r-- 1 wazuh-indexer wazuh-indexer 4.6K Apr 25 10:18 roles.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 170 Apr 25 10:06 tenants.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 12K Jun 12 15:02 test.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 2.0K Apr 25 10:06 whitelist.yml
-rw-r----- 1 wazuh-indexer wazuh-indexer 12K Jun 12 17:23 /etc/wazuh-indexer/opensearch-security/config.yml
Pat Patrick
Jun 12, 2024, 4:08:01 PMJun 12
to Wazuh | Mailing List
@Mauricio, Let me purge my config.yml file and I will send it to you momentarily.
Thank you greatly for your assistance!
Thank you greatly for your assistance!
On Wednesday, June 12, 2024 at 2:49:03 PM UTC-5 Mauricio Aguilar wrote:
Mauricio Aguilar
Jun 12, 2024, 4:10:53 PMJun 12
to Wazuh | Mailing List
These permissions seem to be ok.
I see you have a backup. I think you could check the differences with the diff command:
I see you have a backup. I think you could check the differences with the diff command:
sudo su
diff /etc/wazuh-indexer/opensearch-security/config.yml /etc/wazuh-indexer/opensearch-security/config.yml.bak.ldap
diff /etc/wazuh-indexer/opensearch-security/config.yml /etc/wazuh-indexer/opensearch-security/config.yml.bak.ldap
Mauricio Aguilar
Jun 12, 2024, 4:16:49 PMJun 12
to Wazuh | Mailing List
I was checking the error log again, and it seems like the description field. Please check description fields.
Mauricio Aguilar
Jun 12, 2024, 4:18:34 PMJun 12
to Wazuh | Mailing List
I was checking the error log again, and it seems like the description field is in an invalid format. Please check description fields, delete or comment this line.
Pat Patrick
Jun 12, 2024, 4:21:17 PMJun 12
to Wazuh | Mailing List
# This is the main OpenSearch Security configuration file where authentication
# and authorization is defined.
#
# You need to configure at least one authentication domain in the authc of this file.
# An authentication domain is responsible for extracting the user credentials from
# the request and for validating them against an authentication backend like Active Directory for example.
#
# If more than one authentication domain is configured the first one which succeeds wins.
# If all authentication domains fail then the request is unauthenticated.
# In this case an exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
# http_enabled: true
# transport_enabled: true
#
# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous"
# and one role named "anonymous_backendrole".
# If you enable anonymous authentication all HTTP authenticators will not challenge.
#
#
# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
#
# Default value of the challenge flag is true.
#
#
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging)
# clientcert (not challenging, needs https)
# jwt (not challenging)
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in roles_mapping
# Authc
ldap:
description: 'Authenticate via LDAP or Active Directory'
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: true #Set to true if LDAPS is enabled, otherwise set to false.
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- MY-DC01.MY.net:636 #Port 389 for LDAP, 636 for LDAPS
bind_dn: cn=wazuhadmin1,ou=Administrators,dc=MY,dc=net
password: XXXXXXXXXXXXXXXXXXXX
userbase: 'ou=Security Groups,dc=MY,dc=net'
usersearch: (cn={0}) #Depending on your LDAP schema this can be CN, sAMAccountName, etc
username_attribute: cn
# Authz
roles_from_myldap:
description: 'Authorize via LDAP or Active Directory'
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true #Set to true if LDAPS is enabled, otherwise set to false.
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- MY-DC01.MY.net:636 #Port 389 for LDAP, 636 for LDAPS
bind_dn: cn=wazuhadmin1,ou=Administrators,dc=MY,dc=net
password: XXXXXXXXXXXXXXXXXXXX
userbase: 'ou=Security Groups,dc=MY,dc=net'
usersearch: (cn={0}) #Depending on your LDAP schema this can be cn, sAMAccountName, etc
username_attribute: cn
rolebase: ou=Security Groups,dc=MY,dc=net #This is the subtree in the directory that contains the role/group
rolesearch: '(member={0})' #Depending on your LDAP schema this can be member, memberOf, etc
userrolename: memberof
rolename: cn
skip_users:
- admin
- kibanaserver
_meta:
type: 'config'
config_version: 2
config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#private_tenant_enabled: true
#default_tenant: ""
#server_username: kibanaserver
#index: '.kibana'
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
#remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: 'Authenticate via HTTP Basic against internal users database'
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
description: 'Authenticate via proxy'
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: 'x-proxy-user'
roles_header: 'x-proxy-roles'
authentication_backend:
type: noop
jwt_auth_domain:
description: 'Authenticate via Json Web Token'
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: 'base64 encoded HMAC key or public RSA/ECDSA pem key'
jwt_header: 'Authorization'
jwt_url_parameter: null
jwt_clock_skew_tolerance_seconds: 30
roles_key: null
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
description: 'Authenticate via SSL client certificates'
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
description: 'Authenticate via LDAP or Active Directory'
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
description: 'Authorize via LDAP or Active Directory'
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
description: 'Authorize via another Active Directory'
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
#config goes here ...
# auth_failure_listeners:
# ip_rate_limiting:
# type: ip
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000
# internal_authentication_backend_limiting:
# type: username
# authentication_backend: intern
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000
# and authorization is defined.
#
# You need to configure at least one authentication domain in the authc of this file.
# An authentication domain is responsible for extracting the user credentials from
# the request and for validating them against an authentication backend like Active Directory for example.
#
# If more than one authentication domain is configured the first one which succeeds wins.
# If all authentication domains fail then the request is unauthenticated.
# In this case an exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
# http_enabled: true
# transport_enabled: true
#
# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous"
# and one role named "anonymous_backendrole".
# If you enable anonymous authentication all HTTP authenticators will not challenge.
#
#
# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
#
# Default value of the challenge flag is true.
#
#
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging)
# clientcert (not challenging, needs https)
# jwt (not challenging)
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in roles_mapping
# Authc
ldap:
description: 'Authenticate via LDAP or Active Directory'
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: true #Set to true if LDAPS is enabled, otherwise set to false.
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- MY-DC01.MY.net:636 #Port 389 for LDAP, 636 for LDAPS
bind_dn: cn=wazuhadmin1,ou=Administrators,dc=MY,dc=net
password: XXXXXXXXXXXXXXXXXXXX
userbase: 'ou=Security Groups,dc=MY,dc=net'
usersearch: (cn={0}) #Depending on your LDAP schema this can be CN, sAMAccountName, etc
username_attribute: cn
# Authz
roles_from_myldap:
description: 'Authorize via LDAP or Active Directory'
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true #Set to true if LDAPS is enabled, otherwise set to false.
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- MY-DC01.MY.net:636 #Port 389 for LDAP, 636 for LDAPS
bind_dn: cn=wazuhadmin1,ou=Administrators,dc=MY,dc=net
password: XXXXXXXXXXXXXXXXXXXX
userbase: 'ou=Security Groups,dc=MY,dc=net'
usersearch: (cn={0}) #Depending on your LDAP schema this can be cn, sAMAccountName, etc
username_attribute: cn
rolebase: ou=Security Groups,dc=MY,dc=net #This is the subtree in the directory that contains the role/group
rolesearch: '(member={0})' #Depending on your LDAP schema this can be member, memberOf, etc
userrolename: memberof
rolename: cn
skip_users:
- admin
- kibanaserver
_meta:
type: 'config'
config_version: 2
config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#private_tenant_enabled: true
#default_tenant: ""
#server_username: kibanaserver
#index: '.kibana'
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
#remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: 'Authenticate via HTTP Basic against internal users database'
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
description: 'Authenticate via proxy'
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: 'x-proxy-user'
roles_header: 'x-proxy-roles'
authentication_backend:
type: noop
jwt_auth_domain:
description: 'Authenticate via Json Web Token'
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: 'base64 encoded HMAC key or public RSA/ECDSA pem key'
jwt_header: 'Authorization'
jwt_url_parameter: null
jwt_clock_skew_tolerance_seconds: 30
roles_key: null
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
description: 'Authenticate via SSL client certificates'
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
description: 'Authenticate via LDAP or Active Directory'
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
description: 'Authorize via LDAP or Active Directory'
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
description: 'Authorize via another Active Directory'
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
#config goes here ...
# auth_failure_listeners:
# ip_rate_limiting:
# type: ip
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000
# internal_authentication_backend_limiting:
# type: username
# authentication_backend: intern
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000
Pat Patrick
Jun 12, 2024, 4:21:54 PMJun 12
to Wazuh | Mailing List
Please see the config.yml file below. I was not able to attach it as I had hoped.
Mauricio Aguilar
Jun 12, 2024, 5:39:58 PMJun 12
to Wazuh | Mailing List
Ok, it seems that your problem is that you have tabbed the first two configuration blocks.
Pat Patrick
Jun 12, 2024, 7:28:49 PMJun 12
to Wazuh | Mailing List
Mauricio,
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
ERR: Seems /etc/wazuh-indexer/opensearch-security/config.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "description" (class org.opensearch.security.securityconf.impl.v7.ConfigV7), not marked as ignorable (one known property: "dynamic"])
at [Source: (String)"{"ldap":{"description":"Authenticate via LDAP or Active Directory","http_enabled":true,"transport_enabled":false,"order":5,"http_authenticator":{"type":"basic","challenge":false},"authentication_backend":{"type":"ldap","config":{"enable_ssl":true,"pemtrustedcas_filepath":"/etc/wazuh-indexer/opensearch-security/ldapcacert.pem","enable_start_tls":false,"enable_ssl_client_auth":false,"verify_hostnames":true,"hosts":["MSE-DC01.mse.net:636"],"bind_dn":"cn=wazuhadmin1,ou=Administrators,dc=MSE,dc=net","[truncated 3789 chars]; line: 1, column: 25] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["ldap"]->org.opensearch.security.securityconf.impl.v7.ConfigV7["description"])
ERR: cannot upload configuration, see errors above
When that was attempted earlier it created a new set of errors. Please see below.
Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.8.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.8.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
ERR: Seems /etc/wazuh-indexer/opensearch-security/config.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "description" (class org.opensearch.security.securityconf.impl.v7.ConfigV7), not marked as ignorable (one known property: "dynamic"])
at [Source: (String)"{"ldap":{"description":"Authenticate via LDAP or Active Directory","http_enabled":true,"transport_enabled":false,"order":5,"http_authenticator":{"type":"basic","challenge":false},"authentication_backend":{"type":"ldap","config":{"enable_ssl":true,"pemtrustedcas_filepath":"/etc/wazuh-indexer/opensearch-security/ldapcacert.pem","enable_start_tls":false,"enable_ssl_client_auth":false,"verify_hostnames":true,"hosts":["MSE-DC01.mse.net:636"],"bind_dn":"cn=wazuhadmin1,ou=Administrators,dc=MSE,dc=net","[truncated 3789 chars]; line: 1, column: 25] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["ldap"]->org.opensearch.security.securityconf.impl.v7.ConfigV7["description"])
ERR: cannot upload configuration, see errors above
Mauricio Aguilar
Jun 13, 2024, 6:53:45 AMJun 13
to Wazuh | Mailing List
Hi again,
I was checking the documentation, and it seems that instead of modifying the original authc and authz blocks, you have added two new code blocks.
Please delete the two previously tabbed code blocks, and enter that configuration in the original config/authc and config/authz blocks.
Pat Patrick
Jun 13, 2024, 8:26:07 AMJun 13
to Wazuh | Mailing List
Mauricio,
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging)
# clientcert (not challenging, needs https)
# jwt (not challenging)
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in roles_mapping
# Authc
I am looking at the information that you have provided and have recommended. I have a question about the top area as shown below. Do I set Authc and Authz to ldap by removing the # in this section or do I just move all my settings to the lower section and leave these be?
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging)
# clientcert (not challenging, needs https)
# jwt (not challenging)
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in roles_mapping
# Authc
# internal
# noop
# ldap <------------ remove hash here
# Authz
# ldap <------------ remove hash here
# noop
# ldap <------------ remove hash here
# Authz
# ldap <------------ remove hash here
# noop
Pat Patrick
Jun 13, 2024, 8:57:01 AMJun 13
to Wazuh | Mailing List
Mauricio,
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
Please find the config that I have put together below. Can you please verify and advise so that I can get it moved over and implemented if it is all good. Thank you!
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging)
# clientcert (not challenging, needs https)
# jwt (not challenging)
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in roles_mapping
# Authc
# internal
# noop
# ldap
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging)
# clientcert (not challenging, needs https)
# jwt (not challenging)
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in roles_mapping
# Authc
# internal
# noop
# ldap
# Authz
# ldap
# noop
# ldap
# noop
ldap:
description: "Authenticate via LDAP or Active Directory"
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
type: ldap
config:
# enable ldaps
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- MSE-DC01.MSE.net:636
bind_dn: cn=wazuhadmin,ou=Service Accounts,dc=MSE,dc=net
password: XXXXXXXXXXXXXXXXXXXXXXXXX
userbase: 'ou=Security Groups,dc=MSE,dc=net'
bind_dn: cn=wazuhadmin,ou=Service Accounts,dc=MSE,dc=net
password: XXXXXXXXXXXXXXXXXXXXXXXXX
userbase: 'ou=Security Groups,dc=MSE,dc=net'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
http_enabled: true
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- MSE-DC01.MSE.net:636
bind_dn: cn=wazuhadmin,ou=Service Accounts,dc=MSE,dc=net
password: XXXXXXXXXXXXXXXXXXXXXXXXX
rolebase: 'ou=Security Groups,dc=MSE,dc=net'
bind_dn: cn=wazuhadmin,ou=Service Accounts,dc=MSE,dc=net
password: XXXXXXXXXXXXXXXXXXXXXXXXX
rolebase: 'ou=Security Groups,dc=MSE,dc=net'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=Security Groups,dc=MSE,dc=net'
Pat Patrick
Jun 13, 2024, 11:41:53 AMJun 13
to Wazuh | Mailing List
Mauricio,
I made the changes as recommended, I changed the run_as to true, restarted the dashboard and now I am not seeing any of our agents and receiving the following error message. This message is occurring on my locally created administrator account. When attempting to use a LDAP account it states that the username or password is invalid.
AxiosError: Wazuh API error: ERR_BAD_REQUEST - Permission denied: Resource type: *:* at settle (https://XXX.XXX.XXX.XXX/47402/bundles/plugin/wazuh/wazuh.plugin.js:8:20234) at XMLHttpRequest.onloadend (https://10.30.0.172/47402/bundles/plugin/wazuh/wazuh.plugin.js:8:25708)
AxiosError: Wazuh API error: ERR_BAD_REQUEST - Permission denied: Resource type: *:* at settle (https://XXX.XXX.XXX.XXX/47402/bundles/plugin/wazuh/wazuh.plugin.js:8:20234) at XMLHttpRequest.onloadend (https://10.30.0.172/47402/bundles/plugin/wazuh/wazuh.plugin.js:8:25708)
Mauricio Aguilar
Jun 13, 2024, 2:16:58 PMJun 13
to Wazuh | Mailing List
Have you set the permissions?
Pat Patrick
Jun 13, 2024, 2:53:17 PMJun 13
to Wazuh | Mailing List
Mauricio,
I have verified the permissions on the .pem file and they are correct. I have gone in and added the quotes on the bind_dn fields and re-ran securityadmin. At this point how can I verify that LDAP is connecting properly and locating the user group?
Pat Patrick
Jun 13, 2024, 2:58:13 PMJun 13
to Wazuh | Mailing List
Here is the backend configuration for Authentication
{
"enable_ssl": false,
"pemtrustedcas_filepath": "/etc/wazuh-indexer/opensearch-security/ldapcacert.pem",
"enable_start_tls": false,
"enable_ssl_client_auth": false,
"verify_hostnames": true,
"hosts": [
"MSE-DC01.MSE.net:389"
],
"bind_dn": "cn=wazuhadmin1,ou=Service Accounts,dc=MSE,dc=net",
"password": "XXXXXXXXXXXXXXXXXXXXXXXX,
"userbase": "cn=Wazuh-Admins,ou=Security Groups,dc=MSE,dc=net",
"usersearch": "(sAMAccountName={0})",
"username_attribute": "cn"
}
"pemtrustedcas_filepath": "/etc/wazuh-indexer/opensearch-security/ldapcacert.pem",
"enable_start_tls": false,
"enable_ssl_client_auth": false,
"verify_hostnames": true,
"hosts": [
{
"enable_ssl": false,
"pemtrustedcas_filepath": "/etc/wazuh-indexer/opensearch-security/ldapcacert.pem",
"enable_start_tls": false,
"enable_ssl_client_auth": false,
"verify_hostnames": true,
"hosts": [
],
"bind_dn": "cn=wazuhadmin1,ou=Service Accounts,dc=MSE,dc=net",
"password": "XXXXXXXXXXXXXXXXXXXXXXXX,
"userbase": "cn=Wazuh-Admins,ou=Security Groups,dc=MSE,dc=net",
"usersearch": "(sAMAccountName={0})",
"username_attribute": "cn"
}
Here is the backend configuration for Authorization
{
"enable_ssl": false,
{
"enable_ssl": false,
"pemtrustedcas_filepath": "/etc/wazuh-indexer/opensearch-security/ldapcacert.pem",
"enable_start_tls": false,
"enable_ssl_client_auth": false,
"verify_hostnames": true,
"hosts": [
"MSE-DC01.MSE.net:389"
],
"bind_dn": "cn=wazuhadmin1,ou=Service Accounts,dc=MSE,dc=net",
"password": "XXXXXXXXXXXXXXXXXXXXXX",
"rolebase": "cn=Wazuh-Admins,ou=Security Groups,dc=MSE,dc=net",
"rolesearch": "(member={0})",
"userrolename": "memberOf",
"rolename": "cn",
"resolve_nested_roles": false,
"userbase": "cn=Wazuh-Admins,ou=Security Groups,dc=MSE,dc=net",
"usersearch": "(uid={0})",
"username_attribute": "sAMAccountName",
"rolesearch_enabled": true
}
],
"bind_dn": "cn=wazuhadmin1,ou=Service Accounts,dc=MSE,dc=net",
"password": "XXXXXXXXXXXXXXXXXXXXXX",
"rolebase": "cn=Wazuh-Admins,ou=Security Groups,dc=MSE,dc=net",
"rolesearch": "(member={0})",
"userrolename": "memberOf",
"rolename": "cn",
"resolve_nested_roles": false,
"userbase": "cn=Wazuh-Admins,ou=Security Groups,dc=MSE,dc=net",
"usersearch": "(uid={0})",
"username_attribute": "sAMAccountName",
"rolesearch_enabled": true
}
Mauricio Aguilar
Jun 13, 2024, 3:10:31 PMJun 13
to Wazuh | Mailing List
So you no longer receive new error messages?
Following the guide and then checking as in step 4.
Pat Patrick
Jun 13, 2024, 3:14:55 PMJun 13
to Wazuh | Mailing List
Mauricio,
When trying to use a LDAP account to log in that are supposed to be administrators, it says that either the username or password are incorrect and I am unable to login. I have tried two different accounts that are in the CN=Wazuh-Admins Group.
Mauricio Aguilar
Jun 13, 2024, 4:58:59 PMJun 13
to Wazuh | Mailing List
I will check with the team. In the meantime, I leave you these links for consultation.
https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/ldap/#connection-settings
https://github.com/wazuh/wazuh-dashboard-plugins/issues/2575
https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/ldap/#connection-settings
https://github.com/wazuh/wazuh-dashboard-plugins/issues/2575
Pat Patrick
Jun 13, 2024, 8:12:40 PMJun 13
to Wazuh | Mailing List
Mauricio,
Thank you for this information. I will continue to review it though it appears to be 4 years old. I have about 4 hours time tomorrow Friday June 14th from 7 am to 11 am central time to get this matter resolved. I am turning this build over to a gov't site and this HAS to be resolved before that deadline. I have been working on this issue for over a month with the community and you are the first person to get me to at least a point where my config.yml file is talking properly. If we can just get through pulling in the users to their assigned groups that would be fantastic!!!
Thank you for all of your hard work and insights!
Sincerely,
Pat
Pat Patrick
Jun 14, 2024, 12:07:40 PMJun 14
to Wazuh | Mailing List
Greetings Mauricio,
Just wanted to reach out to see if you have heard anything back or have any additional ideas. We are still not getting users connected to Wazuh.
Thank you for your time.
Mauricio Aguilar
Jun 14, 2024, 5:30:37 PMJun 14
to Wazuh | Mailing List
Hi again Pat, I'm glad you found it helpful. I will be online on Tuesday and will try to get you answers.
Pat Patrick
Jun 15, 2024, 10:49:41 AMJun 15
to Wazuh | Mailing List
Mauricio,
Thank you for letting me know. I hope that we can determine what the issue is here and get it resolved. The client is unable to use Wazuh the way that it was intended to be used and I have several high ranking officials questioning the progress.
Sincerely,
Sincerely,
Pat
Pat Patrick
Jun 17, 2024, 2:42:53 PMJun 17
to Wazuh | Mailing List
Greetings Mauricio,,
Please find a copy of our current config.yml file attached to this message. Specific items have been removed/changed but the configuration is intact. Let us know what you see or what you require additionally so that we can get it over to you as quickly as possible.
Thank you for your time and assistance.
Pat
Pat Patrick
Jun 18, 2024, 1:31:26 PMJun 18
to Wazuh | Mailing List
Greetings Mauricio,
I hope that you were able to enjoy a bit of time off. I wanted to check with you to see if you received the config.yml file and have had a chance to review it and try to determine what is causing our issue currently.
Thank you for your time and I look forward to hearing back from you.
Thank you for your time and I look forward to hearing back from you.
Kind regards,
Pat
Pat Patrick
Jun 21, 2024, 1:13:49 PM (12 days ago) Jun 21
to Wazuh | Mailing List
Greetings Mauricio,
Just wanted to see if there have been any updates on this issue?
Kind Regards,
Pat
Just wanted to see if there have been any updates on this issue?
Kind Regards,
Pat
Pat Patrick
Jun 24, 2024, 9:58:02 AM (9 days ago) Jun 24
to Wazuh | Mailing List
Greetings Mauricio,
Just wanted to check in with you to see if you have been able to review this matter further and assist us with a resolution?
Thank you kindly for your time!
Pat
Just wanted to check in with you to see if you have been able to review this matter further and assist us with a resolution?
Thank you kindly for your time!
Pat
Mauricio Aguilar
Jun 24, 2024, 6:08:21 PM (8 days ago) Jun 24
to Wazuh | Mailing List
Hi Pat, sorry for the delay.
I am checking with the team how to debug this.
I hope to have an answer tomorrow.
I am checking with the team how to debug this.
I hope to have an answer tomorrow.
Mauricio Aguilar
Jun 25, 2024, 8:47:04 AM (8 days ago) Jun 25
to Wazuh | Mailing List
Hi Pat,
The computer says that you probably have a configuration error in the config.yml file.
I would check the Wauh dashboard and Wazuh indexer logs to see if there is anything that might indicate the problem.
It is striking that the usersearch in authc and authz is different, I don't know if it is a configuration error or if it is intentional.
It is striking that the usersearch in authc and authz is different, I don't know if it is a configuration error or if it is intentional.
Pat Patrick
Jun 25, 2024, 8:53:56 AM (8 days ago) Jun 25
to Wazuh | Mailing List
Greetings Mauricio,
It was not meant to be different. We need to pull users in from two security groups - Wazuh Admins and Wazuh Users (readonly). Which logs can we review to see what errors we are getting? As I am not onsite anymore I will need to provide detailed information to someone onsite that can collect and send me the information that we will need to review to troubleshoot and resolve this matter. I will look at the yml file that I provided you as it was the last config that was setup before I left.
Pat Patrick
Jun 27, 2024, 10:17:10 AM (6 days ago) Jun 27
to Wazuh | Mailing List
Greetings Mauricio,
This is to let you know that there has been a delay in testing the recommended changes that you have made. I was advised that (others) attempted to make some changes to the system and did not advise me of an issue that occurred. They then performed a restore from a backup that removed weeks worth of work that I had done. I will have to re-do several items before I can attempt this corrected LDAP config. As soon as I have more information for you I will advise.
Thank you for your efforts thus far.
Thank you for your efforts thus far.
Sincerely,
Pat
Mauricio Aguilar
Jun 27, 2024, 5:19:27 PM (5 days ago) Jun 27
to Wazuh | Mailing List
Ok, just check those things and let me know.
Mauricio Aguilar
Jul 2, 2024, 9:13:18 AM (19 hours ago) Jul 2
to Wazuh | Mailing List
Hello again, I am closing the ticket.
Please open a new ticket for future questions on any of our platforms (slack, google team, reddit, etc).
A team member will be happy to help you.
Thank you very much.
Please open a new ticket for future questions on any of our platforms (slack, google team, reddit, etc).
A team member will be happy to help you.
Thank you very much.
Pat Patrick
Jul 2, 2024, 12:57:53 PM (15 hours ago) Jul 2
to Wazuh | Mailing List
I am sorry to see that you are closing the ticket as the matter has not yet been resolved. We are currently trying to rebuild the system after a full system restore did not restore user accounts. I will try to pin this series of messages for the next person that gets the ticket so that they can review what you have done and the information provided.
Regards
Reply all
Reply to author
Forward
0 new messages