Dear Team,
I have configured my Wazuh with LDAP. I have two OUs with 30 users. I was able to set login and admin privileges for users in one OU (my OU1). I have given full admin rights to a group (wazuh_admins) that is in the OU1 (my OU1) using roles_mapping.
My OU names are
OU1: my OU1 (20 users + 3 groups)
OU2: Norusers (10 users only)
Group name: wazuh_admins (5 users)
The LDAP configuration is given below. How can I add the second OU to the settings so that the users in the second OU will also be able to login to Wazuh.
In OU1, there are 20 users, of whom 5 are member of the group wazuh_admins. All users in "my OU1" are able to login to Wazuh and having permission missing error, which is normal. The 5 users have full rights.
I have tried multiple ways to add second OU. But failled. I have put the following settings in userbase:, rolebase:, and the userbase: presend after the rolebase: options.
1. 'OU=my OU1,DC=testdc,DC=com' 'OU=
Norusers,DC=testdc,DC=com'
2. 'OU=my OU1,OU= Norusers,DC=testdc,DC=com'
Need help. I'm using wazuh 4.7.3.
Configuration:
ldap:
description: "Authenticate via LDAP or AD"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or AD)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
-
testdc.com:389 bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <my-password>
userbase: 'OU=my OU1,DC=testdc,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: cn
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
-
testdc.com:389 bind_dn: CN=user1,CN=Users,DC=testdc,DC=com
password: <my-password>
rolebase: 'OU=my OU1,DC=testdc,DC=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch_enabled: true
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: none
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'OU=my OU1,DC=testdc,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: (sAMAccountName={0})
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'