Roles in AD integration Wazuh 4.3
600 views
Skip to first unread message
Mario Alejandro Porco
Sep 7, 2022, 2:13:10 PM9/7/22
to Wazuh mailing list
Hi wazuh experts
I need your assistance, recently i integrate
wazuh 4.3 with Active Directory
The integration with Active Directory is OK, users of mi OU can log in in Wazuh, but I can't configure the finally steps (roles in opendistro):
The integration with Active Directory is OK, users of mi OU can log in in Wazuh, but I can't configure the finally steps (roles in opendistro):
"Then you need to map the roles from OpenDistro with the already created AD/LDAP user, by editing the file: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml
all_access:
reserved: false
backend_roles:
- "admin"
- "Wazuh_Admins"
description: "Maps admin to all_access""
I attached the error when login users in Wazuh
I need mapping AD users with 2 or more roles in Wazuh ( for example role 1 admin and role 2 "consulting role")
Can you help me to finish this integration?
Thanks in advance
I need mapping AD users with 2 or more roles in Wazuh ( for example role 1 admin and role 2 "consulting role")
Can you help me to finish this integration?
Thanks in advance
Damian Nicastro
Sep 7, 2022, 2:48:59 PM9/7/22
to Wazuh mailing list
Hello
marioa.porco:
I hope you are fine.
---
# In this file users, backendroles and hosts can be mapped to Open Distro Security roles.
# Permissions for Opendistro roles are configured in roles.yml
_meta:
type: "rolesmapping"
config_version: 2
# Define your roles mapping here
## Default roles mapping
all_access:
reserved: true
hidden: false
backend_roles:
- "admin"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
own_index:
reserved: false
hidden: false
backend_roles: []
hosts: []
users:
- "*"
and_backend_roles: []
description: "Allow full access to an index named like the username"
logstash:
reserved: false
hidden: false
backend_roles:
- "logstash"
hosts: []
users: []
and_backend_roles: []
readall:
reserved: true
hidden: false
backend_roles:
- "readall"
hosts: []
users: []
and_backend_roles: []
manage_snapshots:
reserved: true
hidden: false
backend_roles:
- "snapshotrestore"
hosts: []
users: []
and_backend_roles: []
kibana_server:
reserved: true
hidden: false
backend_roles: []
hosts: []
users:
- "kibanaserver"
and_backend_roles: []
kibana_user:
reserved: false
hidden: false
backend_roles:
- "kibanauser"
hosts: []
users: []
and_backend_roles: []
description: "Maps kibanauser to kibana_user"
# Wazuh monitoring and statistics index permissions
manage_wazuh_index:
reserved: true
hidden: false
backend_roles: []
hosts: []
users:
- "kibanaserver"
I hope you are fine.
The config block you have shown is fine for an AD group that has administrator privileges in Wazuh. There is no point to add other to an administrator if he already has all the privileges ("all_access" role).
However, if you want to create a group in AD with different privileges, you can then add then as "backend_roles" in any of the built in wazuh-dashboard role you have in the file:
[wazuh-server ~]# cat /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml---
# In this file users, backendroles and hosts can be mapped to Open Distro Security roles.
# Permissions for Opendistro roles are configured in roles.yml
_meta:
type: "rolesmapping"
config_version: 2
# Define your roles mapping here
## Default roles mapping
all_access:
reserved: true
hidden: false
backend_roles:
- "admin"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
reserved: false
hidden: false
backend_roles: []
hosts: []
users:
- "*"
and_backend_roles: []
description: "Allow full access to an index named like the username"
logstash:
reserved: false
hidden: false
backend_roles:
- "logstash"
hosts: []
users: []
and_backend_roles: []
readall:
reserved: true
hidden: false
backend_roles:
- "readall"
hosts: []
users: []
and_backend_roles: []
manage_snapshots:
reserved: true
hidden: false
backend_roles:
- "snapshotrestore"
hosts: []
users: []
and_backend_roles: []
kibana_server:
reserved: true
hidden: false
backend_roles: []
hosts: []
users:
- "kibanaserver"
and_backend_roles: []
kibana_user:
reserved: false
hidden: false
backend_roles:
- "kibanauser"
hosts: []
users: []
and_backend_roles: []
description: "Maps kibanauser to kibana_user"
# Wazuh monitoring and statistics index permissions
manage_wazuh_index:
reserved: true
hidden: false
backend_roles: []
hosts: []
users:
- "kibanaserver"
Additionally, you create your own custom roles and then map it to an AD group. For thi you have to configure in the
/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles.yml following the same structure than the default roles.
Just remember that after any change in the opensearch-security plugin config file you have to run "securityadmin.sh" script to insert these changes in the ".opendistro_security" index. I recomend you tu run this script like this:
# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -cacert /etc/wazuh-indexer/certs/root-ca.pem -cert /etc/wazuh-indexer/certs/admin.pem -key /etc/wazuh-indexer/certs/admin-key.pem -h localhost -icl
You can also create you roles and mappings in wazuh-dashboard web UI clicking in the "three lines" main menu in the top left corner, selecting "Security" and then "Roles". There you don't need to run the previous but if you do it, all the config that you did graphically will be replaced by the one that is config files mentioned previously.
I hope this helps.
Thanks
Cleiton
Jan 3, 2024, 11:06:59 AM1/3/24
to Wazuh | Mailing List
I have the same problem and followed the steps in the following settings. https://documentation.wazuh.com/current/user-manual/user-administration/ldap.html#authentication-and-authorization-configuration
I would have an example of configuring roles.yml ?
Reply all
Reply to author
Forward
0 new messages