ldap

[elvi...@gmail.com]

Hello.

wazuh 4.2.7 Unattended installation all in one.

I set up the config for ldap authorization. But I can't see agents in wazuh. Screenshot error

How to fix it?

[Federico Rodriguez]

Hi Elvis!
Could you please share WazuhApp logs? There may be valuable information there to determine what caused the Internal server error:
cat /usr/share/kibana/data/wazuh/logs/wazuhapp-plain.log | grep -i -E "error|warn"

In the meantime, make sure you followed the steps described in this ldap integration guide:
https://github.com/wazuh/wazuh-documentation/issues/2983

[elvi...@gmail.com]

I am very grateful for your help.

I followed this guide https://github.com/wazuh/wazuh-documentation/issues/2983, but when adding a role i get a format mismatch error

:/usr/share/elasticsearch/plugins/opendistro_security/tools# ./securityadmin.sh -f ../securityconfig/roles.yml -icl -nhnv -cert /etc/elasticsearch/certs/admin.pem -cacert /etc/elasticsearch/certs/root-ca.pem -key /etc/elasticsearch/certs/admin-key.pem -t roles          WARNING: JAVA_HOME not set, will use /usr/bin/java
Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/tools
Force type: roles
ERR: Seems ../securityconfig/roles.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "cluster" (class com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7), not marked as ignorable (7 known properties: "index_permissions", "reserved", "hidden", "description", "static", "cluster_permissions", "tenant_permissions"])
 at [Source: (String)"{"_meta":{"type":"roles","config_version":2},"kibana_read_only":{"reserved":true},"security_rest_api_access":{"reserved":true},"alerting_read_access":{"reserved":true,"cluster_permissions":["cluster:admin/opendistro/alerting/alerts/get","cluster:admin/opendistro/alerting/destination/get","cluster:admin/opendistro/alerting/monitor/get","cluster:admin/opendistro/alerting/monitor/search"]},"alerting_ack_alerts":{"reserved":true,"cluster_permissions":["cluster:admin/opendistro/alerting/alerts/*"]},""[truncated 3211 chars]; line: 1, column: 3652] (through reference chain: com.amazon.opendistroforelasticsearch.security.securityconf.impl.SecurityDynamicConfiguration["ReadOnlyRole"]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7["cluster"])
ERR: cannot upload configuration, see errors above

понедельник, 25 июля 2022 г. в 18:16:34 UTC+3, federico....@wazuh.com:

[elvi...@gmail.com]

this happens when i add ReadOnlyRole In the file roles.yml  and use securityadmin.sh

вторник, 26 июля 2022 г. в 09:34:54 UTC+3, elvi...@gmail.com:

[elvi...@gmail.com]

Is it not enough to manage roles from the Kibana|wazuh interface and you need to create roles and roles mapping in configuration files? Currently, I can log in as a user from ldap to the Kibana interface with all_access rights. But roles mapping does not work in wazuh. Is it possible to enable debug mode for detailed log, maybe I'm missing something?

вторник, 26 июля 2022 г. в 09:38:14 UTC+3, elvi...@gmail.com:

[elvi...@gmail.com]

Hello. I'm waiting for your advice

вторник, 26 июля 2022 г. в 09:46:26 UTC+3, elvi...@gmail.com:

[Federico Rodriguez]

Here's what you need to enable Authentication and Authorization for LDAP.
You need to pay particular attention to the username_attribute setting because it could be needed to mapping with Wazuh RBAC.
Eg. username_attribute: name.surname

After enabling LDAP you will be able to map the LDAP users to internal roles, and Wazuh roles. You can follow this guide.
In step 5.b you can create a custom match rule to map with any of the next fields of the internal user context instead of the user_name as in the guide:

backend_roles: ["admin"] 

custom_attribute_names: [] 

is_hidden: false 

is_internal_user: true 

is_reserved: false 

roles: ["all_access", "own_index", "wazuh_admin", "my-custom-role"] 

0: "all_access" 

1: "own_index" 

2: "wazuh_admin" 

tenants: {global_tenant: true, admin_tenant: true, wazuh: true} 

admin_tenant: true 

global_tenant: true 

wazuh: true 

user_name: "wazuh" 

user_requested_tenant: null

Note that the LDAP user is presented as an internal user too.

A useful rule is to match with internal roles

{
   "FIND": {
     "roles": "my-custom-role"
   }
}

Note that in order to make use of the Wazuh RBAC, the user that you have configured in your wazuh.yml (usually in /usr/share/kibana/data/wazuh/config) should have allowed the allow_run_as attribute.
By default, the wazuh.yml is configured with the wazuh-wui user that has allow_run_as as true.
But you can check this from the Wazuh app in Kibana, from the Wazuh app menu / Tools / API Console running this query

GET /security/users

Also, you need to enable the run_as setting in your wazuh.yml.
By default, the wazuh.yml comes with this setting disabled.

hosts:
   - default:
        url: https://localhost port: 55000
        username: wazuh-wui
        password: wazuh-wui
        run_as: true

You can see an example of mapping internal users with Wazuh RBAC here.

Please let me know if this was helpful or if you have any further questions.