help needed on Wazuh LDAP integration

Hari ft

unread,

Apr 30, 2025, 12:19:14 AM4/30/25

to Wazuh | Mailing List

Dear Team,

I'm using Wazuh 4.11.2

I have configured my Wazuh with LDAP. I have two OUs with total of 35 users.

My OU names are
OU1: 25 users + 3 groups
OU2: 10 users

Group name: wazuh_admins (5 users), it is located under OU1, users are from OU1
Group name: wazuh_monitoring (10 users) it is located under OU2, all the users are from OU2

I was able to set login and admin privileges for users in OU1. I have given full admin rights to a group (wazuh_admins) that is in the OU1 using roles_mapping. The LDAP configuration is given below. I have tried multiple ways to add second OU, but failed.

OU1 users can login, but OU2 users can't. The error says the incorrect credentials, even though they are correct. OU1 users have full admin rights as the configuration.
I have added one role, "read_only" with the following permissions. It is used to give read-only permission in Wazuh for OU2.

Cluster permissions:
read
indices:data/read*
indices:admin/mappings/fields/get*
indices:admin/resolve/index
kibana_all_read
kibana:saved_objects/*/read
indices:data/read/explain
indices:data/read/field_caps
indices:data/read/field_caps*
indices:data/read/get
indices:data/read/mget
indices:data/read/mget*
indices:data/read/msearch
indices:data/read/msearch/template
indices:data/read/mtv
indices:data/read/mtv*
indices:data/read/point_in_time/create
indices:data/read/point_in_time/delete
indices:data/read/point_in_time/readall
indices:data/read/scroll
indices:data/read/search
indices:data/read/search/template
indices:data/read/tv
indices:data/read/search*
indices:data/read/scroll/clear
cluster:admin/opensearch/ql/datasources/read
indices_monitor
indices:monitor/*
cluster_monitor
cluster:monitor/*

Index permissions:
wazuh-*
read

Backend Role:
wazuh_monitoring

The LDAP configuration is given below.

My configuration in:
/etc/wazuh-indexer/opensearch-security/config.yml

ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>

userbase: 'OU=OU1,DC=testdc,DC=com'
usersearch: '(sAMAccountName={0})'
username_attribute: cn

ldap2:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
userbase: 'OU=OU2,DC=testdc,DC=com'
usersearch: '(sAMAccountName={0})'
username_attribute: cn

authz:
roles_from_ldap1:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=OU1,DC=testdc,DC=com'

rolesearch_enabled: true
rolesearch: '(member={0})'
userroleattribute: null
userrolename: none

rolename: cn
resolve_nested_roles: true
userbase: 'OU=OU1,DC=testdc,DC=com'
usersearch: (sAMAccountName={0})

roles_from_ldap2:
description: "Authorize via another Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=OU2,DC=testdc,DC=com'

rolesearch_enabled: true
rolesearch: '(member={0})'
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
userbase: 'OU=OU2,DC=testdc,DC=com'
usersearch: (sAMAccountName={0})

My Configuration in:
/etc/wazuh-indexer/opensearch-security/roles_mapping.yml

_meta:
type: "rolesmapping"
config_version: 2

all_access:
reserved: true
hidden: false
backend_roles:
- "admin"
- "wazuh_admins"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"

#
#
# All other default configurations here, no change
#
#
#

read_only:
reserved: false
hidden: false
backend_roles:
- "wazuh_monitoring"
hosts: []
users: []
and_backend_roles: []

I have tried all basic troubleshooting and multiple configurations as well, nothing worked yet for OU2. OU1 is working perfectly. Please help

Bony V John

unread,

Apr 30, 2025, 1:31:39 AM4/30/25

to Wazuh | Mailing List

Hi,

Based on the shared /etc/wazuh-indexer/opensearch-security/config.yml configuration, it appears that you have added two separate ldap and authz blocks. It is recommended to use only one ldap configuration block for authentication. You can then configure multiple authz blocks to map users from different OUs.

Here is a sample configuration you can try:

ldap:
description: "Authenticate via LDAP"

http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>

userbase: 'DC=testdc,DC=com'

usersearch: '(sAMAccountName={0})'
username_attribute: cn

Using userbase: 'DC=testdc,DC=com' allows users to authenticate from any OU under the domain.

In the authz configuration, you can try the below configuration by splitting the OU groups:

authz:
roles_from_ldap1:
authorization_backend:
type: ldap
config:

hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=OU1,DC=testdc,DC=com'

rolesearch: '(member={0})'
rolename: cn
resolve_nested_roles: true
userbase: 'DC=testdc,DC=com'

usersearch: '(sAMAccountName={0})'

roles_from_ldap2:

authorization_backend:
type: ldap
config:

hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=OU2,DC=testdc,DC=com'

rolesearch: '(member={0})'
rolename: cn
resolve_nested_roles: true
userbase: 'DC=testdc,DC=com'
usersearch: '(sAMAccountName={0})'

Once this is configured, you can follow the Wazuh read-only user setup documentation to create and assign roles via the dashboard.

I also recommend reviewing the following documentation:

Hari ft

unread,

May 5, 2025, 12:59:00 AM5/5/25

to Wazuh | Mailing List

Dear Team,

Thanks for the support. Now both of the OUs are reading. But I wasn't able to apply the read-only permission to the 2nd OU.
1st OU has full admin privileges. I want ready-only access to all aspects of the 2nd OU.

Could you please help me on this.

Hari ft

unread,

May 5, 2025, 1:06:36 AM5/5/25

to Wazuh | Mailing List

I have applied the following settings,

In roles.yml

# Wazuh custom role for SC Interns
read_only_wazuh:
cluster_permissions:
- "cluster_monitor"
- "cluster:admin/ingest/pipeline/get"
- "cluster:admin/ingest/pipeline/simulate"
- "cluster:admin/opensearch/security/authinfo"

index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "read"
- "search"
- "indices:data/read/*"

tenant_permissions:
- tenant_patterns:
- "global_tenant"
allowed_actions:
- "kibana_all_read"

in roles_,apping.yml

wazuh_readonly:

reserved: false
hidden: false
backend_roles:

- "OU2"
hosts: []
users: []
and_backend_roles: []

this gives this error in cluster log

[2025-05-05T10:31:51,783][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [node-1] Tenant global_tenant is not allowed for user Test User 4 Wazuh
[2025-05-05T10:31:51,843][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [node-1] Tenant global_tenant is not allowed for user Test User 4 Wazuh
[2025-05-05T10:31:52,104][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [node-1] Tenant global_tenant is not allowed for user Test User 4 Wazuh
[2025-05-05T10:31:52,108][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [node-1] Tenant global_tenant is not allowed for user Test User 4 Wazuh
[2025-05-05T10:31:55,885][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [node-1] Tenant global_tenant is not allowed for user Test User 4 Wazuh
[2025-05-05T10:31:55,892][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [node-1] Tenant global_tenant is not allowed for user Test User 4 Wazuh

Hari ft

unread,

May 5, 2025, 1:08:42 AM5/5/25

to Wazuh | Mailing List

sorry not the OU1 and OU2 in the settings

wazuh_admins and wazuh_monitoring

Bony V John

unread,

May 6, 2025, 6:21:08 AM5/6/25

to Wazuh | Mailing List

Hi,

To evaluate your configuration, could you please share the following files with us:

The /etc/wazuh-indexer/opensearch-security/config.yml file from the Wazuh indexer server.
The /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file, so we can review the role mappings.
A full screenshot of the role configuration of the role that you created for the read-only user in the Wazuh dashboard.

Please ensure that you have assigned the correct backend role in the role configuration. You can refer to the read-only user creation section in the official documentation for guidance: https://documentation.wazuh.com/current/user-manual/user-administration/ldap.html#setup-read-only-role

Hari ft

unread,

May 13, 2025, 9:50:12 AM5/13/25

to Wazuh | Mailing List

Dear Team,

I have completed the LDAP config. Now it is working fine.

Thanks for the support.

Abdusamad Nazarov

unread,

Jul 22, 2025, 7:55:29 AM7/22/25

to Wazuh | Mailing List

Hello, I want to integreted LDAP integration in Wazuh https://documentation.wazuh.com/current/user-manual/user-administration/ldap.html

The code doesn't work, I've been suffering for the second day!

echo -n | openssl s_client -connect XXX-XX-XX.xxxxxx.local:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapcacert.pem

Result Error