Need help on Wazuh LDAP configuration with two OUs
128 views
Skip to first unread message
Hari ft
Dec 19, 2024, 6:57:44 AM12/19/24
to Wazuh | Mailing List
Dear Team,
My configuration in:
/etc/wazuh-indexer/opensearch-security/config.yml
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
userbase: 'OU=my OU1,DC=testdc,DC=com'
usersearch: '(sAMAccountName={0})'
username_attribute: cn
ldap2:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
userbase: 'OU=Norusers,DC=testdc,DC=com'
usersearch: '(sAMAccountName={0})'
username_attribute: cn
authz:
roles_from_ldap1:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=my OU1,DC=testdc,DC=com'
rolesearch_enabled: true
rolesearch: '(member={0})'
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
userbase: 'OU=my OU1,DC=testdc,DC=com'
usersearch: (sAMAccountName={0})
roles_from_ldap2:
description: "Authorize via another Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=Norusers,DC=testdc,DC=com'
rolesearch_enabled: true
rolesearch: '(member={0})'
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
userbase: 'OU=Norusers,DC=testdc,DC=com'
usersearch: (sAMAccountName={0})
My Configuration in:
/etc/wazuh-indexer/opensearch-security/roles_mapping.yml
_meta:
type: "rolesmapping"
config_version: 2
all_access:
reserved: true
hidden: false
backend_roles:
- "admin"
- "wazuh_admins"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
#
#
# All other default configurations here, no change
#
#
#
read_only:
reserved: false
hidden: false
backend_roles:
- "wazuh_monitoring"
hosts: []
users: []
and_backend_roles: []
I have configured my Wazuh with LDAP. I have two OUs with 30 users.
My OUs :
OU1: 'OU=my OU1,DC=testdc,DC=com' (5 users + 1 groups)
OU2: 'OU= Norusers,DC=testdc,DC=com' (25 users only + 1 group)
Group name:
wazuh_admins (5 users) in OU=my OU1
wazuh_monitoring (25 users) in OU= Norusers
I was able to set login and admin privileges for users in my OU1. I have given full admin rights to a group (wazuh_admins) that is in the my OU1 using roles_mapping.
OU1 users can login, but OU2 users can't. The error says the incorrect credentials, even though they are correct. OU1 users have full admin rights as the configuration.
I have added one role, "read_only" with the following permissions:. It is used to give read-only permission in Wazuh for OU2 (Norusers).
Cluster permissions:
read
indices:data/read*
indices:admin/mappings/fields/get*
indices:admin/resolve/index
kibana_all_read
kibana:saved_objects/*/read
indices:data/read/explain
indices:data/read/field_caps
indices:data/read/field_caps*
indices:data/read/get
indices:data/read/mget
indices:data/read/mget*
indices:data/read/msearch
indices:data/read/msearch/template
indices:data/read/mtv
indices:data/read/mtv*
indices:data/read/point_in_time/create
indices:data/read/point_in_time/delete
indices:data/read/point_in_time/readall
indices:data/read/scroll
indices:data/read/search
indices:data/read/search/template
indices:data/read/tv
indices:data/read/search*
indices:data/read/scroll/clear
cluster:admin/opensearch/ql/datasources/read
indices_monitor
indices:monitor/*
cluster_monitor
cluster:monitor/*
Index permissions:
wazuh-*
read
Backend Role:
My OUs :
OU1: 'OU=my OU1,DC=testdc,DC=com' (5 users + 1 groups)
OU2: 'OU= Norusers,DC=testdc,DC=com' (25 users only + 1 group)
Group name:
wazuh_admins (5 users) in OU=my OU1
wazuh_monitoring (25 users) in OU= Norusers
I was able to set login and admin privileges for users in my OU1. I have given full admin rights to a group (wazuh_admins) that is in the my OU1 using roles_mapping.
OU1 users can login, but OU2 users can't. The error says the incorrect credentials, even though they are correct. OU1 users have full admin rights as the configuration.
I have added one role, "read_only" with the following permissions:. It is used to give read-only permission in Wazuh for OU2 (Norusers).
Cluster permissions:
read
indices:data/read*
indices:admin/mappings/fields/get*
indices:admin/resolve/index
kibana_all_read
kibana:saved_objects/*/read
indices:data/read/explain
indices:data/read/field_caps
indices:data/read/field_caps*
indices:data/read/get
indices:data/read/mget
indices:data/read/mget*
indices:data/read/msearch
indices:data/read/msearch/template
indices:data/read/mtv
indices:data/read/mtv*
indices:data/read/point_in_time/create
indices:data/read/point_in_time/delete
indices:data/read/point_in_time/readall
indices:data/read/scroll
indices:data/read/search
indices:data/read/search/template
indices:data/read/tv
indices:data/read/search*
indices:data/read/scroll/clear
cluster:admin/opensearch/ql/datasources/read
indices_monitor
indices:monitor/*
cluster_monitor
cluster:monitor/*
Index permissions:
wazuh-*
read
Backend Role:
wazuh_monitoring
The LDAP configuration is given below.
The LDAP configuration is given below.
My configuration in:
/etc/wazuh-indexer/opensearch-security/config.yml
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
userbase: 'OU=my OU1,DC=testdc,DC=com'
usersearch: '(sAMAccountName={0})'
username_attribute: cn
ldap2:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
userbase: 'OU=Norusers,DC=testdc,DC=com'
usersearch: '(sAMAccountName={0})'
username_attribute: cn
authz:
roles_from_ldap1:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=my OU1,DC=testdc,DC=com'
rolesearch_enabled: true
rolesearch: '(member={0})'
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
userbase: 'OU=my OU1,DC=testdc,DC=com'
usersearch: (sAMAccountName={0})
roles_from_ldap2:
description: "Authorize via another Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=Norusers,DC=testdc,DC=com'
rolesearch_enabled: true
rolesearch: '(member={0})'
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
userbase: 'OU=Norusers,DC=testdc,DC=com'
usersearch: (sAMAccountName={0})
My Configuration in:
/etc/wazuh-indexer/opensearch-security/roles_mapping.yml
_meta:
type: "rolesmapping"
config_version: 2
all_access:
reserved: true
hidden: false
backend_roles:
- "admin"
- "wazuh_admins"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
#
#
# All other default configurations here, no change
#
#
#
read_only:
reserved: false
hidden: false
backend_roles:
- "wazuh_monitoring"
hosts: []
users: []
and_backend_roles: []
Please help
Awwal Ishiaku
Dec 24, 2024, 4:00:37 AM12/24/24
to Wazuh | Mailing List
Here are a few things you can check to troubleshoot this issue:
1. Verify LDAP Configuration:
- Double-check the LDAP configuration in the /etc/wazuh-indexer/opensearch-security/config.yml file, especially the hosts, bind_dn, password, userbase, and usersearch parameters for the ldap2 section.
- Ensure that the userbase and usersearch parameters are correctly configured for the OU=Norusers,DC=testdc,DC=com OU.
- You can try testing the LDAP connection using the ldapsearch command to ensure that the configuration is correct and the users can be found.
2. Check Roles Mapping:
- In the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file, ensure that the read_only role is correctly mapped to the wazuh_monitoring backend role.
- Verify that the wazuh_monitoring backend role is correctly defined and has the necessary permissions.
- Make sure that the read_only role is applied to the users from the OU=Norusers,DC=testdc,DC=com OU.
3. Restart Wazuh Services:
- After making any changes to the configuration files, make sure to restart the Wazuh services for the changes to take effect.
- Run the following commands:
systemctl restart wazuh-manager
systemctl restart wazuh-indexer
4. Check Wazuh Logs:
- Review the Wazuh logs, located at /var/ossec/logs/ossec.log and /var/log/wazuh-indexer/wazuh-cluster.log to check for any error messages or clues about the login issue.
- You can also enable debug-level logging by modifying the log_level parameter in the /etc/wazuh/ossec.conf file and restarting the Wazuh services.
5. Verify User Permissions:
- Ensure that the users from the OU=Norusers,DC=testdc,DC=com OU are correctly assigned to the wazuh_monitoring backend role.
- Check if the read_only role has the necessary permissions for the users to access the Wazuh dashboard.
If you have followed the steps correctly and still face issues, you can try the following additional steps:
Simplify the Configuration:
- Start with a simple LDAP configuration, focusing on a single OU, and gradually expand it to the full setup.
- This approach can help you identify any issues with the more complex configuration.
1. Verify LDAP Configuration:
- Double-check the LDAP configuration in the /etc/wazuh-indexer/opensearch-security/config.yml file, especially the hosts, bind_dn, password, userbase, and usersearch parameters for the ldap2 section.
- Ensure that the userbase and usersearch parameters are correctly configured for the OU=Norusers,DC=testdc,DC=com OU.
- You can try testing the LDAP connection using the ldapsearch command to ensure that the configuration is correct and the users can be found.
2. Check Roles Mapping:
- In the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file, ensure that the read_only role is correctly mapped to the wazuh_monitoring backend role.
- Verify that the wazuh_monitoring backend role is correctly defined and has the necessary permissions.
- Make sure that the read_only role is applied to the users from the OU=Norusers,DC=testdc,DC=com OU.
3. Restart Wazuh Services:
- After making any changes to the configuration files, make sure to restart the Wazuh services for the changes to take effect.
- Run the following commands:
systemctl restart wazuh-manager
systemctl restart wazuh-indexer
4. Check Wazuh Logs:
- Review the Wazuh logs, located at /var/ossec/logs/ossec.log and /var/log/wazuh-indexer/wazuh-cluster.log to check for any error messages or clues about the login issue.
- You can also enable debug-level logging by modifying the log_level parameter in the /etc/wazuh/ossec.conf file and restarting the Wazuh services.
5. Verify User Permissions:
- Ensure that the users from the OU=Norusers,DC=testdc,DC=com OU are correctly assigned to the wazuh_monitoring backend role.
- Check if the read_only role has the necessary permissions for the users to access the Wazuh dashboard.
If you have followed the steps correctly and still face issues, you can try the following additional steps:
Simplify the Configuration:
- Start with a simple LDAP configuration, focusing on a single OU, and gradually expand it to the full setup.
- This approach can help you identify any issues with the more complex configuration.
Hari ft
Jan 6, 2025, 11:30:23 PM1/6/25
to Wazuh | Mailing List
Dear Team,
The users in the 1st OU are working fine, which indicates the configuration is correct.
I have used the same settings for the 2nd LDAP configuration as well.
There is nothing much in the wazuh log.
[2024-12-23T11:57:24,313][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for ananthan from 172.16.x.x:50514
from /var/log/wazuh-indexer/wazuh-cluster.log
Hari ft
Feb 14, 2025, 12:21:21 AM2/14/25
to Wazuh | Mailing List
Hi
Anyone here to support??
Reply all
Reply to author
Forward
0 new messages