LDAP permissions
580 views
Skip to first unread message
Piotr
Feb 20, 2023, 8:44:30 AM2/20/23
to Wazuh mailing list
Hello,
I'm new to Wazuh but I have already learned some of its features (Wazuh 4.2.7).
I have recently configured authentication and authorization via Active Directory and there is one thing I don't know how to achieve.
Right now I have made two groups in AD (all privileges for admins and read only for others). I added some accounts to those groups.
If you are in "admins" group then you can log in and you have all rights. If you're in "RO group" then you can log in, see some events, reports etc.
But if you're not a member of any of those two groups you can still properly log in. You can see most of the menu, you can see names of the recently viewed reports, you can enter to DevTools. Of course in every place there is a information "no permissions for [indices...", "forbidden" etc. bout still it doesn't look good.
I'm new to Wazuh but I have already learned some of its features (Wazuh 4.2.7).
I have recently configured authentication and authorization via Active Directory and there is one thing I don't know how to achieve.
Right now I have made two groups in AD (all privileges for admins and read only for others). I added some accounts to those groups.
If you are in "admins" group then you can log in and you have all rights. If you're in "RO group" then you can log in, see some events, reports etc.
But if you're not a member of any of those two groups you can still properly log in. You can see most of the menu, you can see names of the recently viewed reports, you can enter to DevTools. Of course in every place there is a information "no permissions for [indices...", "forbidden" etc. bout still it doesn't look good.
So the question is - what can I do to prevent other people (not listed in those two AD groups) from logging into Wazuh? Is there some configuration error I made that I should look for? Or is there any whitelist/blacklist that should be used? Or other solution?
Thanks in advance for any tips!
Piotr
Marcos Javier Bonacci
Feb 20, 2023, 11:22:24 AM2/20/23
to Wazuh mailing list
Hello Priot,
Let me look into your query, and get back to you with comments on it.
Anyway, could you share with me:
authz and the roles_mapping
Regards,
Javier
Let me look into your query, and get back to you with comments on it.
Anyway, could you share with me:
authz and the roles_mapping
Regards,
Javier
Piotr
Feb 21, 2023, 8:31:19 AM2/21/23
to Wazuh mailing list
Hello Javier,
authc:
...
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: "basic"
challenge: true
authentication_backend:
type: "ldap"
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "ldap01xxx:389"
- "ldap02xxx:389"
bind_dn: "CN=bindwazuh,OU=Special01,OU=Users,DC=ZZZ,DC=local"
password: "xxxxx"
userbase: "OU=Users,DC=ZZZ,DC=local"
usersearch: "(sAMAccountName={0})"
username_attribute: "sAMAccountName"
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "ldap01xxx:389"
- "ldap02xxx:389"
bind_dn: "CN=bindwazuh,OU=Special01,OU=Users,DC=ZZZ,DC=local"
password: "xxxxx"
rolebase: "OU=Special02,OU=Groups,OU=Users,DC=ZZZ,DC=local"
rolesearch: "(member={0})"
userroleattribute: null
userrolename: "disabled"
rolename: "cn"
resolve_nested_roles: true
userbase: "OU=Users,DC=ZZZ,DC=local"
usersearch: "(sAMAccountName={0})"
username_attribute: "sAMAccountName"
first a sketch of AD:
ZZZ.local
|- ...
|-Users
| |- ...
| |-Special01
| | |- bindwazuh
| |- ...
| |-Groups
| | |-Special02
| | | |- wazuh_admin
| | | |- wazuh_reader
| | |- ...
| |- ...
|- ...
|- ...
|-Users
| |- ...
| |-Special01
| | |- bindwazuh
| |- ...
| |-Groups
| | |-Special02
| | | |- wazuh_admin
| | | |- wazuh_reader
| | |- ...
| |- ...
|- ...
part of config.yml:
authc:
...
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: "basic"
challenge: true
authentication_backend:
type: "ldap"
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "ldap01xxx:389"
- "ldap02xxx:389"
bind_dn: "CN=bindwazuh,OU=Special01,OU=Users,DC=ZZZ,DC=local"
password: "xxxxx"
userbase: "OU=Users,DC=ZZZ,DC=local"
usersearch: "(sAMAccountName={0})"
username_attribute: "sAMAccountName"
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "ldap01xxx:389"
- "ldap02xxx:389"
bind_dn: "CN=bindwazuh,OU=Special01,OU=Users,DC=ZZZ,DC=local"
password: "xxxxx"
rolebase: "OU=Special02,OU=Groups,OU=Users,DC=ZZZ,DC=local"
rolesearch: "(member={0})"
userroleattribute: null
userrolename: "disabled"
rolename: "cn"
resolve_nested_roles: true
userbase: "OU=Users,DC=ZZZ,DC=local"
usersearch: "(sAMAccountName={0})"
username_attribute: "sAMAccountName"
Roles mapping were done from the GUI not by editing yml file (more less like here: https://groups.google.com/g/wazuh/c/JAvQcY9mZc4 ):
Kibana -> Security
wazuh_admin
Cluster permissions: unlimited
Index permissions: *
Internal users: -
Backed roles: wazuh_admin
Tenants: global_tenant
wazuh_reader
Cluster permissions: cluster_composite_ops_ro, cluster_reports_ro
Index permissions: *
Internal users: operator (new internal account)
Backed roles: wazuh_reader, kibanauser
Tenants: global_tenant
Wazuh -> Security
wazuh_admin
roles: readonly
wazuh_reader
roles: administrator
If any other info is needed just tell me :)
Piotr
Marcos Javier Bonacci
Feb 21, 2023, 9:57:13 AM2/21/23
to Wazuh mailing list
Good morning, Piotr
To permit only a group of users from Active Directory access to the Wazuh dashboard, you can use Role mapping [Role Mapping] and map AD users with 2 or more roles in Wazuh, like Damian Castro say on this conversation [Map AD users].
To permit only a group of users from Active Directory access to the Wazuh dashboard, you can use Role mapping [Role Mapping] and map AD users with 2 or more roles in Wazuh, like Damian Castro say on this conversation [Map AD users].
To map Active Directory users to the Wazuh dashboard, you can create roles and mappings in the Wazuh dashboard web UI, create an internal user and a new role mapping. Search for the all_access role in the roles list [Authentication and authorization] , configure the roles_mapping.yml file to map the role from AD [Active Directory] or use a preconfigured role to install the Wazuh dashboard [Wazuh Dashboard].
Let me know if you were able to configure it correctly.
Best regards,
Javier
Best regards,
Javier
Piotr
Feb 22, 2023, 5:04:20 AM2/22/23
to Wazuh mailing list
Hello Javier
Thank you for your response.Let me just clarify. 
If I understand you correctly, I need to create an account in Wazuh that is corresponding to the account in AD?
For example if there is a person with AD account "johndoe" and he is a member of "wazuh_reader" AD group than I have to create an account "johndoe" in Kibana and Wazuh and map this account in Wazuh to the role named "wazuh_reader" that has "readonly" permissions?
I'm asking because I thought that it's enough just to create a role named like the AD group:
Piotr
Feb 22, 2023, 8:08:47 AM2/22/23
to Wazuh mailing list
Hi again ;)
As for now I did something else and now it looks like it is working fine ;)In Kibana Security there is a role called "own_index" that every logged user gets mapped.
I have deleted this "*" mapping:
And I haven't made any other changes.
Now when a AD user, without any AD gorup assigned, logs into Wazuh he gets info:
Other AD users, with right group assigned, logs fine and they have desired permissions.
Reply all
Reply to author
Forward
0 new messages