Need help on Wazuh LDAP configuration with two OUs

129 views
Skip to first unread message

Hari ft

unread,
Mar 26, 2024, 8:30:50 AMMar 26
to Wazuh | Mailing List
Dear Team,

I have configured my Wazuh with LDAP. I have two OUs with 30 users. I was able to set login and admin privileges for users in one OU (my OU1). I have given full admin rights to a group (wazuh_admins) that is in the OU1 (my OU1) using roles_mapping.

My OU names are
OU1: my OU1 (20 users + 3 groups)
OU2: Norusers (10 users only)

Group name: wazuh_admins (5 users)

The LDAP configuration is given below. How can I add the second OU to the settings so that the users in the second OU will also be able to login to Wazuh.

In OU1, there are 20 users, of whom 5 are member of the group wazuh_admins. All users in "my OU1" are able to login to Wazuh and having permission missing error, which is normal. The 5 users have full rights.

I have tried multiple ways to add second OU. But failled. I have put the following settings in userbase:, rolebase:, and the userbase: presend after the rolebase: options. 

1. 'OU=my OU1,DC=testdc,DC=com' 'OU= Norusers,DC=testdc,DC=com' 
2. 'OU=my OU1,OU= Norusers,DC=testdc,DC=com'

Need help. I'm using wazuh 4.7.3.


Configuration:

    ldap:
        description: "Authenticate via LDAP or AD"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or AD)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - testdc.com:389
            bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
            password: <my-password>
            userbase: 'OU=my OU1,DC=testdc,DC=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: cn

    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - testdc.com:389
            bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
            password: <my-password>
            rolebase: 'OU=my OU1,DC=testdc,DC=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch_enabled: true
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: none
            #userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'OU=my OU1,DC=testdc,DC=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: (sAMAccountName={0})
            # Skip users matching a user name, a wildcard or a regex pattern
            #skip_users:
            #  - 'cn=Michael Jackson,ou*people,o=TEST'
            #  - '/\S*/'
 

Pablo Ariel Gonzalez

unread,
Mar 26, 2024, 11:32:23 PMMar 26
to Wazuh | Mailing List
Hi Hari,

To confirm that I have understood correctly. You want two OUs to have access to Wazuh using LDAP as SSO. OU1 has internal groups to give different permissions and OU2 only allows access without internal groups. Is this correct?

I don't see the OU2 configuration in the file you shared, I guess that section is not included. If you remove the different groups configuration from OU1, all users of both OU's can access it without any problem?

It would be very useful if you could share with us the roles_mapping file you are using to analyze it. On the other hand, have you been able to verify if you get any error message in the wazuh log file (ossec.log) when an OU1 user tries to access it and fails?

Thanks,

Hari ft

unread,
Mar 27, 2024, 1:02:36 AMMar 27
to Wazuh | Mailing List
Dear Team,

I want to add OU2 to the configuration. I don't know how I can do that. 
Please help me modify the LDAP settings so that I can add the OU to the LDAP login.

Pablo Ariel Gonzalez

unread,
Mar 28, 2024, 11:02:28 AMMar 28
to Wazuh | Mailing List
Hi Hari,

    Correct, so your configuration for the OU1 is working correctly, what you have not been able to get working is the integration for both OU's to work together. Let me look into this query and I will send you an update as soon as possible.

Thanks,

Hari ft

unread,
Mar 31, 2024, 11:55:34 PMMar 31
to Wazuh | Mailing List
Hi Pablo,

Yes, that is correct. I'll wait for your replay.

Pablo Ariel Gonzalez

unread,
Apr 15, 2024, 8:33:02 AMApr 15
to Wazuh | Mailing List
Hi Hari,

Sorry for the delay in replying. Do you still need to resolve this issue or have you been able to resolve it?


Thanks,

Pablo Ariel Gonzalez

unread,
Apr 17, 2024, 11:20:06 PMApr 17
to Wazuh | Mailing List
Hi Hari,

Have you had a chance to review my previous comment? If you still have the problem, we will be happy to discuss it further.


Thanks

Hari ft

unread,
Apr 23, 2024, 7:03:07 AMApr 23
to Wazuh | Mailing List
Dear team,

I want to configure this; please help.

Pablo Ariel Gonzalez

unread,
Apr 27, 2024, 12:15:26 AMApr 27
to Wazuh | Mailing List
Hi Hari,

I will recheck the configuration you sent us and propose an alternative so that we can test the configuration. Please let me check it and I will have an update tomorrow.

Thanks,

Pablo Ariel Gonzalez

unread,
Apr 29, 2024, 9:17:05 AMApr 29
to Wazuh | Mailing List
Hi Hari,

I have not had the opportunity to verify it yet because it is necessary to have a similar environment for it, but we could try these alternatives.

The first one would be to try to use usersearch to indicate the OU you want to point to as follows
           hosts:
            - testdc.com:389
            bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
            password: <my-password>
            userbase: 'OU=my OU1,DC=testdc,DC=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: cn

The other alternative would be to use different ldap blocks for each OU as described below.

authc: ldap: description: "Authenticate via LDAP or Active Directory" http_enabled: false transport_enabled: false order: 1 http_authenticator: type: "basic" challenge: false authentication_backend: type: "ldap" config: enable_ssl: false enable_start_tls: false enable_ssl_client_auth: false verify_hostnames: true hosts: - "testdc.com:389" bind_dn: CN=user1,CN=Users,DC=testdc,DC=com password: <my-password> userbase: 'OU=my OU1,DC=testdc,DC=com' usersearch: "(sAMAccountName={0})" username_attribute: null ldap2: description: "Authenticate via LDAP or Active Directory" http_enabled: false transport_enabled: false order: 2 http_authenticator: type: "basic" challenge: false authentication_backend: type: "ldap" config: enable_ssl: false enable_start_tls: false enable_ssl_client_auth: false verify_hostnames: true hosts: - "testdc.com:389" bind_dn: CN=user1,CN=Users,DC=testdc,DC=com password: <my-password> userbase: 'OU=my OU1,OU= Norusers,DC=testdc,DC=com' usersearch: "(sAMAccountName={0})" username_attribute: null authz: roles_from_myldap: description: "Authorize via LDAP or Active Directory" http_enabled: false transport_enabled: false authorization_backend: type: "ldap" config: enable_ssl: false enable_start_tls: false enable_ssl_client_auth: false verify_hostnames: true hosts: - "testdc.com:389" bind_dn: CN=user1,CN=Users,DC=testdc,DC=com password: <my-password> rolebase: "ou=groups,dc=example,dc=com" rolesearch: "(member={0})" userroleattribute: null userrolename: "disabled" rolename: "cn" resolve_nested_roles: true userbase: 'OU=my OU1,DC=testdc,DC=com' usersearch: "(uid={0})"

Let me know if you have been able to try these alternatives and if you consider them appropriate, if not we will continue investigating how to solve this problem.

Pablo Ariel Gonzalez

unread,
May 1, 2024, 1:33:56 AMMay 1
to Wazuh | Mailing List
Hi Hari,

Have you had a chance to review my previous comment? If you still have the problem we can continue to analyze it..


Thanks

Hari ft

unread,
May 21, 2024, 1:35:30 AM (9 days ago) May 21
to Wazuh | Mailing List
Dear Team,

I have configured it like this. Still, OU1 users can login, but OU2 users can't. The error says the incorrect credentials, even though they are correct.
In addition to the above-mentioned configuration, I have added one role, "read_only" with the following permissions:. It is used to give read only permission in Wazuh for OU2 (Norusers). The OU contains one group as well (wazuh_monitoring).

Cluster permissions: 
  • read
  • kibana_all_read
  • indices:data/read/msearch
  • indices_monitor
  • cluster_monitor

    Index permissions:
  • wazuh-*
    read




Backend Role: --  wazuh_monitoring






My configuration is: :/etc/wazuh-indexer/opensearch-security/config.yml

      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - testdc.com:389
            bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
            password: <password>

            userbase: 'OU=my OU1,DC=testdc,DC=com'
            usersearch: '(sAMAccountName={0})'
            username_attribute: cn


      ldap2:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - testdc.com:389
            bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
            password: <password>
            userbase: 'OU=Norusers,DC=testdc,DC=com'



    authz:
      roles_from_ldap1:

        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - testdc.com:389
            bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
            password: <password>
            rolebase: 'OU=my OU1,DC=testdc,DC=com'

            rolesearch_enabled: true
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: none

            rolename: cn
            resolve_nested_roles: true
            userbase: 'OU=my OU1,DC=testdc,DC=com'
            usersearch: (sAMAccountName={0})

      roles_from_ldap2:
        description: "Authorize via another Active Directory"

        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - testdc.com:389
            bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
            password: <password>
            rolebase: 'OU=Norusers,DC=testdc,DC=com'

            rolesearch_enabled: true
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: none
            rolename: cn
            resolve_nested_roles: true
            userbase: 'OU=Norusers,DC=testdc,DC=com'
            usersearch: (sAMAccountName={0})


My Configuration : /etc/wazuh-indexer/opensearch-security/roles_mapping.yml

_meta:
  type: "rolesmapping"
  config_version: 2

all_access:
  reserved: true
  hidden: false
  backend_roles:
  - "admin"
  - "wazuh_admins"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps admin to all_access"

#
#
# All other default configurations here, no change
#
#
#

read_only:
  reserved: false
  hidden: false
  backend_roles:
  - "wazuh_monitoring"
  hosts: []
  users: []
  and_backend_roles: []


Reply all
Reply to author
Forward
0 new messages