LDAP user access issue
43 views
Skip to first unread message
German DiCasas
Aug 21, 2025, 1:55:41 PMAug 21
to Wazuh | Mailing List
Hi team,
I added the ldap service over wazuh 4.10.1 and works. But I have a issue, when the user belong to the OU but not to the Group needed, can login to the wazuh dashboard and get a error as atached picture. Can I prevent them from accessing the screen in the attached image? It's as if it were a password error. Because once inside, that user has access to, for example, Advanced Settings of Dashboard Management. They can't change the values, but they can see the full menu.
this is my file
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- DC1.midominio.local:636
bind_dn: CN=swazuh,OU=Servicios,OU=Sitio1,DC=midominio,DC=local
password: ###123123###
userbase: OU=Sitio1,DC=midominio,DC=local
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: sAMAccountName
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true #false
transport_enabled: true #false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have t>
type: ldap
config:
# enable ldaps
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- DC1.midominio.local:636
bind_dn: CN=swazuh,OU=Servicios,OU=Sitio1,DC=midominio,DC=local
password: ###123123###
userbase: OU=Sitio1,DC=midominio,DC=local
usersearch: '(sAMAccountName={0})'
username_attribute: sAMAccountName
rolebase: OU=Grupos,OU=Sitio1,DC=midominio,DC=local
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the aut>
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: cn #memberof #disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on >
resolve_nested_roles: true
skip_users:
- admin
- kibanaserver
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- DC1.midominio.local:636
bind_dn: CN=swazuh,OU=Servicios,OU=Sitio1,DC=midominio,DC=local
password: ###123123###
userbase: OU=Sitio1,DC=midominio,DC=local
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: sAMAccountName
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true #false
transport_enabled: true #false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have t>
type: ldap
config:
# enable ldaps
enable_ssl: true
pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- DC1.midominio.local:636
bind_dn: CN=swazuh,OU=Servicios,OU=Sitio1,DC=midominio,DC=local
password: ###123123###
userbase: OU=Sitio1,DC=midominio,DC=local
usersearch: '(sAMAccountName={0})'
username_attribute: sAMAccountName
rolebase: OU=Grupos,OU=Sitio1,DC=midominio,DC=local
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the aut>
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: cn #memberof #disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on >
resolve_nested_roles: true
skip_users:
- admin
- kibanaserver
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
Can be possible?
Thanks
German
Alberto Marcelino Zárate
Aug 22, 2025, 3:53:10 PMAug 22
to Wazuh | Mailing List
Hello German, how are you?
Thank you for sharing logs and also a screenshot.
This behaviour is the expected one, is not considered an error since the user belongs to a OU that it's actually binded to Wazuh.
The user has login permissions and, because they actually belong to the OU, he can navigate through the menu.
Thanks,
German DiCasas
Sep 2, 2025, 10:38:40 AM (5 days ago) Sep 2
to Wazuh | Mailing List
How can I avoid that the user login? I mean, How is the configuration to check only if the user is member of a group. nomather the OU. I want that only the user to the Groups needed can login, all the others I want not event to log in.
Regards
German
Reply all
Reply to author
Forward
0 new messages