Need help on Wazuh LDAP configuration with two OUs
153 views
Skip to first unread message
Hari ft
Mar 26, 2024, 8:30:50 AMMar 26
to Wazuh | Mailing List
Dear Team,
ldap:
description: "Authenticate via LDAP or AD"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or AD)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <my-password>
userbase: 'OU=my OU1,DC=testdc,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: cn
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <my-password>
rolebase: 'OU=my OU1,DC=testdc,DC=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch_enabled: true
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: none
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'OU=my OU1,DC=testdc,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: (sAMAccountName={0})
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
I have configured my Wazuh with LDAP. I have two OUs with 30 users. I was able to set login and admin privileges for users in one OU (my OU1). I have given full admin rights to a group (wazuh_admins) that is in the OU1 (my OU1) using roles_mapping.
My OU names are
OU1: my OU1 (20 users + 3 groups)
OU2: Norusers (10 users only)
Group name: wazuh_admins (5 users)
The LDAP configuration is given below. How can I add the second OU to the settings so that the users in the second OU will also be able to login to Wazuh.
In OU1, there are 20 users, of whom 5 are member of the group wazuh_admins. All users in "my OU1" are able to login to Wazuh and having permission missing error, which is normal. The 5 users have full rights.
I have tried multiple ways to add second OU. But failled. I have put the following settings in userbase:, rolebase:, and the userbase: presend after the rolebase: options.
1. 'OU=my OU1,DC=testdc,DC=com' 'OU=
Norusers,DC=testdc,DC=com'
2. 'OU=my OU1,OU= Norusers,DC=testdc,DC=com'
Need help. I'm using wazuh 4.7.3.
Configuration:
description: "Authenticate via LDAP or AD"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or AD)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <my-password>
userbase: 'OU=my OU1,DC=testdc,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: cn
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <my-password>
rolebase: 'OU=my OU1,DC=testdc,DC=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch_enabled: true
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: none
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'OU=my OU1,DC=testdc,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: (sAMAccountName={0})
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
Pablo Ariel Gonzalez
Mar 26, 2024, 11:32:23 PMMar 26
to Wazuh | Mailing List
Hi Hari,
To confirm that I have understood correctly. You want two OUs to have access to Wazuh using LDAP as SSO. OU1 has internal groups to give different permissions and OU2 only allows access without internal groups. Is this correct?
I don't see the OU2 configuration in the file you shared, I guess that section is not included. If you remove the different groups configuration from OU1, all users of both OU's can access it without any problem?
It would be very useful if you could share with us the roles_mapping file you are using to analyze it. On the other hand, have you been able to verify if you get any error message in the wazuh log file (ossec.log) when an OU1 user tries to access it and fails?
To confirm that I have understood correctly. You want two OUs to have access to Wazuh using LDAP as SSO. OU1 has internal groups to give different permissions and OU2 only allows access without internal groups. Is this correct?
I don't see the OU2 configuration in the file you shared, I guess that section is not included. If you remove the different groups configuration from OU1, all users of both OU's can access it without any problem?
It would be very useful if you could share with us the roles_mapping file you are using to analyze it. On the other hand, have you been able to verify if you get any error message in the wazuh log file (ossec.log) when an OU1 user tries to access it and fails?
Thanks,
Hari ft
Mar 27, 2024, 1:02:36 AMMar 27
to Wazuh | Mailing List
Dear Team,
I want to add OU2 to the configuration. I don't know how I can do that.
Please help me modify the LDAP settings so that I can add the OU to the LDAP login.
Pablo Ariel Gonzalez
Mar 28, 2024, 11:02:28 AMMar 28
to Wazuh | Mailing List
Hi Hari,
Correct, so your configuration for the OU1 is working correctly, what you have not been able to get working is the integration for both OU's to work together. Let me look into this query and I will send you an update as soon as possible.
Thanks,
Hari ft
Mar 31, 2024, 11:55:34 PMMar 31
to Wazuh | Mailing List
Hi Pablo,
Pablo Ariel Gonzalez
Apr 15, 2024, 8:33:02 AMApr 15
to Wazuh | Mailing List
Hi Hari,
Sorry for the delay in replying. Do you still need to resolve this issue or have you been able to resolve it?
Thanks,
Pablo Ariel Gonzalez
Apr 17, 2024, 11:20:06 PMApr 17
to Wazuh | Mailing List
Hi Hari,
Have you had a chance to review my previous comment? If you still have the problem, we will be happy to discuss it further.
Thanks
Hari ft
Apr 23, 2024, 7:03:07 AMApr 23
to Wazuh | Mailing List
Dear team,
I want to configure this; please help.
Pablo Ariel Gonzalez
Apr 27, 2024, 12:15:26 AMApr 27
to Wazuh | Mailing List
Hi Hari,
I will recheck the configuration you sent us and propose an alternative so that we can test the configuration. Please let me check it and I will have an update tomorrow.
Thanks,
Pablo Ariel Gonzalez
Apr 29, 2024, 9:17:05 AMApr 29
to Wazuh | Mailing List
Hi Hari,
Let me know if you have been able to try these alternatives and if you consider them appropriate, if not we will continue investigating how to solve this problem.
I have not had the opportunity to verify it yet because it is necessary to have a similar environment for it, but we could try these alternatives.
The first one would be to try to use usersearch to indicate the OU you want to point to as follows
The first one would be to try to use usersearch to indicate the OU you want to point to as follows
The other alternative would be to use different ldap blocks for each OU as described below.
authc:
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
order: 1
http_authenticator:
type: "basic"
challenge: false
authentication_backend:
type: "ldap"
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "testdc.com:389"
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <my-password>
userbase: 'OU=my OU1,DC=testdc,DC=com'
usersearch: "(sAMAccountName={0})"
username_attribute: null
ldap2:
description: "Authenticate via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: "basic"
challenge: false
authentication_backend:
type: "ldap"
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "testdc.com:389"
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <my-password>
userbase: 'OU=my OU1,OU= Norusers,DC=testdc,DC=com'
usersearch: "(sAMAccountName={0})"
username_attribute: null
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: "ldap"
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "testdc.com:389"
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <my-password>
rolebase: "ou=groups,dc=example,dc=com"
rolesearch: "(member={0})"
userroleattribute: null
userrolename: "disabled"
rolename: "cn"
resolve_nested_roles: true
userbase: 'OU=my OU1,DC=testdc,DC=com'
usersearch: "(uid={0})"
Let me know if you have been able to try these alternatives and if you consider them appropriate, if not we will continue investigating how to solve this problem.
Pablo Ariel Gonzalez
May 1, 2024, 1:33:56 AMMay 1
to Wazuh | Mailing List
Hi Hari,
Have you had a chance to review my previous comment? If you still have the problem we can continue to analyze it..
Thanks
Hari ft
May 21, 2024, 1:35:30 AMMay 21
to Wazuh | Mailing List
Dear Team,
userbase: 'OU=my OU1,DC=testdc,DC=com'
usersearch: '(sAMAccountName={0})'
ldap2:
description: "Authenticate via LDAP or Active Directory"
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
rolesearch_enabled: true
rolesearch: '(member={0})'
rolename: cn
resolve_nested_roles: true
userbase: 'OU=my OU1,DC=testdc,DC=com'
http_enabled: true
transport_enabled: true
authorization_backend:
rolesearch_enabled: true
rolesearch: '(member={0})'
I have configured it like this. Still, OU1 users can login, but OU2 users can't. The error says the incorrect credentials, even though they are correct.
In addition to the above-mentioned configuration, I have added one role, "read_only" with the following permissions:. It is used to give read only permission in Wazuh for OU2 (Norusers). The OU contains one group as well (wazuh_monitoring).
Cluster permissions:
- Index permissions:
- wazuh-*
read
—
—
—
Backend Role: -- wazuh_monitoring
My configuration is: :/etc/wazuh-indexer/opensearch-security/config.yml
ldap:
description: "Authenticate via LDAP or Active Directory"
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
userbase: 'OU=my OU1,DC=testdc,DC=com'
usersearch: '(sAMAccountName={0})'
username_attribute: cn
ldap2:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
userbase: 'OU=Norusers,DC=testdc,DC=com'
authz:
roles_from_ldap1:
userbase: 'OU=Norusers,DC=testdc,DC=com'
authz:
roles_from_ldap1:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=my OU1,DC=testdc,DC=com'
rolebase: 'OU=my OU1,DC=testdc,DC=com'
rolesearch_enabled: true
rolesearch: '(member={0})'
userroleattribute: null
userrolename: none
userrolename: none
rolename: cn
resolve_nested_roles: true
userbase: 'OU=my OU1,DC=testdc,DC=com'
usersearch: (sAMAccountName={0})
roles_from_ldap2:
description: "Authorize via another Active Directory"
roles_from_ldap2:
description: "Authorize via another Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- testdc.com:389
bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <password>
rolebase: 'OU=Norusers,DC=testdc,DC=com'
rolebase: 'OU=Norusers,DC=testdc,DC=com'
rolesearch_enabled: true
rolesearch: '(member={0})'
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
userbase: 'OU=Norusers,DC=testdc,DC=com'
usersearch: (sAMAccountName={0})
My Configuration : /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
userrolename: none
rolename: cn
resolve_nested_roles: true
userbase: 'OU=Norusers,DC=testdc,DC=com'
usersearch: (sAMAccountName={0})
My Configuration : /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
_meta:
type: "rolesmapping"
config_version: 2
all_access:
reserved: true
hidden: false
backend_roles:
- "admin"
- "wazuh_admins"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
#
#
# All other default configurations here, no change
#
#
#
read_only:
reserved: false
hidden: false
backend_roles:
- "wazuh_monitoring"
hosts: []
users: []
and_backend_roles: []
type: "rolesmapping"
config_version: 2
all_access:
reserved: true
hidden: false
backend_roles:
- "admin"
- "wazuh_admins"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
#
#
# All other default configurations here, no change
#
#
#
read_only:
reserved: false
hidden: false
backend_roles:
- "wazuh_monitoring"
hosts: []
users: []
and_backend_roles: []
Reply all
Reply to author
Forward
0 new messages