@TimV
Sorry I was totally misunderstanding. I was able to map the multibyte group name to alphabet role name.
Here is what I have found.
Mapping multibyte group name to multibyte role name does not work
This is because elasticsearch cannot store multibyte role name.
[root@rhel2 ~]# curl -XPUT -u elastic:changeme localhost:9200/_xpack/security/role/情報システム -d '
> {
> "run_as" : [ "superuser" ]
> }'
{"error":{"root_cause":[{"type":"validation_exception","reason":"Validation Failed: 1: A valid role name must be at least 1 character and no longer than 30 characters. It must begin with a letter (`a-z` or `A-Z`) or an underscore (`_`). Subsequent characters can be letters, underscores (`_`), digits (`0-9`) or any of the following symbols `@`, `-`, `.` or `$`;"}],"type":"validation_exception","reason":"Validation Failed: 1: A valid role name must be at least 1 character and no longer than 30 characters. It must begin with a letter (`a-z` or `A-Z`) or an underscore (`_`). Subsequent characters can be letters, underscores (`_`), digits (`0-9`) or any of the following symbols `@`, `-`, `.` or `$`;"},"status":400}[root@rhel2 ~]#
Mapping multibyte group name to alphabet role name works
This is how I done.
1 Assing multibyte security group name to a user on Active Directory side. Make sure the group is not set to Primary Group
2 ldap search returns awkward result but this is okay
dn:: Q0495rih6L66IOijlSxDTj1Vc2VycyxEQz1leGFtcGxlLERDPWNvbQ==
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
...
memberOf:: Q0495oOF5aCx44K344K544OG44OgLENOPVVzZXJzLERDPWV4YW1wbGUsREM9Y29t
memberOf: CN=Remote Desktop Users,CN=Builtin,DC=example,DC=com
...
sAMAccountName: y-watanabe
3 elasticsearch.yml
ldap1:
type: ldap
order: 0
url: ldap://ad:389
bind_dn: "cn=creationline,cn=Users,dc=example,dc=com"
bind_password: YuTennis123!
user_search:
base_dn: cn=Users,dc=example,dc=com
scope: sub_tree
attribute: sAMAccountName
group_search:
base_dn: cn=Users,dc=example,dc=com
files:
role_mapping: "/opt/elasticsearch/elasticsearch-5.4.0/config/x-pack/role_mapping.yml"
unmapped_groups_as_roles: false
follow_referrals: false
4 role_mapping.yml
superuser:
- "cn=情報システム,cn=Users,dc=example,dc=com"
5 elasticsearch log . CN for group name was empty but it worked.
[2017-06-10T22:54:30,318][DEBUG][o.e.x.s.a.e.ReservedRealm] [Y_0s9_g] user [y-watanabe] not found in cache for realm [reserved], proceeding with normal authentication
[2017-06-10T22:54:30,318][DEBUG][o.e.x.s.a.l.LdapRealm ] [Y_0s9_g] user [y-watanabe] not found in cache for realm [ldap1], proceeding with normal authentication
...
[2017-06-10T22:54:35,639][DEBUG][o.e.i.f.p.ParentChildIndexFieldData] [Y_0s9_g] [.security_audit_log-2017.06.10] global-ordinals [_parent] took [5micros]
[2017-06-10T22:54:36,660][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [Y_0s9_g] the roles [[superuser]], are mapped from these [ldap] groups [[CN=,CN=Users,DC=example,DC=com]] for realm [ldap/ldap1]
6 Kibana login success