LDAP permission
70 views
Skip to first unread message
Thaynara Soares
Jun 30, 2024, 3:38:04 PM (3 days ago) Jun 30
to Wazuh | Mailing List
Hi, Good afternoon, can anyone help me? I'm implementing LDAP with Wazuh, but when entering my username and password, this error appears below:
You have no permissions. Contact to an administrator: no permissions
-The settings with my LDAP appear normal, but when accessing the Wazuh interface I do not have access to anything and I have already made the settings that appear in the documentation
Christian Borla
Jul 1, 2024, 11:51:11 AM (2 days ago) Jul 1
to Wazuh | Mailing List
Hi Thaynara
I hope youa re well!
I hope youa re well!
We can start revieing the configuration files, check ones:
- config.yml
- roles_mapping.yml
Inside the config.yml, you will find 2 main blocks, one for authentication (authc), and other for authorization (authz), inside of them you will see blocks for the several supported logins existing for Opensearch (aka Wazuh Indexer).
You need to configure 2 blocks here, one for the basic authentication, and other for the LDAP authentication, both have a value name order, which will tell the Wazuh Indexer, which will be evaluated first.
Pay attention to that configuration, and follow this document: LDAP integration to make sure you have all the configuration placed correctly.
Finally, to apply the configuration, you need to run a script (securityadmin.sh) to inject that configuration into an index inside the Wazuh Indexer.
I hope this will be helpful.
Christian Borla
Jul 1, 2024, 11:57:46 AM (2 days ago) Jul 1
to Wazuh | Mailing List
On the other hand if you have a cloud environment, please check this link
Thaynara Soares
Jul 2, 2024, 1:03:54 PM (15 hours ago) Jul 2
to Wazuh | Mailing List
At the moment my configuration is like this:authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- ******:389
bind_dn: CN=WAZUH corporativo,OU=WAZUH,OU=DTI - Contas de Serviços,OU=Usuários **,OU=**,OU=**,DC=***,DC=*****
password: ***************
rolebase: 'CN=WAZUH GRSI,OU=WAZUH,OU=DTI - Contas de Serviços,OU=Usuários **,OU=**,OU=**,DC=****,DC=******'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={2})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: memberOf
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'OU=Usuários DTI,OU=**,OU=**,DC=**,DC=**'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- admin
- Kibanaserver
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/' (editado)
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- ******:389
bind_dn: CN=WAZUH corporativo,OU=WAZUH,OU=DTI - Contas de Serviços,OU=Usuários **,OU=**,OU=**,DC=***,DC=*****
password: ***************
rolebase: 'CN=WAZUH GRSI,OU=WAZUH,OU=DTI - Contas de Serviços,OU=Usuários **,OU=**,OU=**,DC=****,DC=******'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={2})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: memberOf
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'OU=Usuários DTI,OU=**,OU=**,DC=**,DC=**'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- admin
- Kibanaserver
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/' (editado)
Thaynara Soares
Jul 2, 2024, 1:04:49 PM (15 hours ago) Jul 2
to Wazuh | Mailing List
My roles_mapping.yml configuration
Thaynara Soares
Jul 2, 2024, 1:09:47 PM (15 hours ago) Jul 2
to Wazuh | Mailing List
autch:
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- ******:389
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- ******:389
bind_dn: cn=WAZUH corporativo,ou=WAZUH,ou=DTI - Contas de Serviços,ou=Usuários **,ou=*****,ou=**,dc=***,dc=***
password: ***************
userbase: 'ou=Usuários **,ou=******,ou=**,dc=***,dc=***'
password: ***************
userbase: 'ou=Usuários **,ou=******,ou=**,dc=***,dc=***'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
Em terça-feira, 2 de julho de 2024 às 13:05:45 UTC-4, Thaynara Soares escreveu:
Thaynara Soares
Jul 2, 2024, 1:16:25 PM (15 hours ago) Jul 2
to Wazuh | Mailing List
LDAP users when accessing are falling under the rule ( "own_index" )
Reply all
Reply to author
Forward
0 new messages