Active Directory - Account not assigned to role

Fabien · April 4, 2017, 10:52am

Hello,

I want to use an active directory connection with x-pack.
My error is that the account of active directory is associated with no role. However, it seems to me that I followed the configuration steps:

Edit elasticsearch.yml

            xpack:
              security:
                authc:
                  realms:
                    active_directory:
                      type: active_directory
                      order: 0 
                      domain_name: myactivedirectory.com
                      url: ldap://myactivedirectory:389
                      unmapped_groups_as_roles: true 
                      files:
                        role_mapping: "CONFIG_DIR/x-pack/role_mapping.yml"

Edit role_mapping.yml

admin:
    - "CN=GG_USER_EXEMPLE1,OU=EXEMPLE,OU=EXEMPLE,DC=directory,DC=EXEMPLE,DC=com"

Edit roles.yml

admin:
    cluster: all
    indices:
        '*': all

To watch the log of the connection, I active it in the file log4j2.proprieties

logger.authc.name = org.elasticsearch.xpack.security.authc
logger.authc.level = DEBUG

So when I log in, the connection is a success.

[2017-04-04T12:17:29,612][DEBUG][o.e.x.s.a.l.LdapRealm ] [Z7NT4T5] authenticated user [f.user], with roles [[GG_USER_EXEMPLE1, GG_USER_EXEMPLE2, GG_USER_EXEMPLE3, GG_USER_EXEMPLE4, GG_USER_EXEMPLE5 ]]

However, I can see nothing on the website, all is white. I think I don't have access rights

Do you know what's the problem ?

Thank you

Cordialement
FJ

prodrg · April 4, 2017, 10:36pm

You should assign the kibana_user role to those accounts on the role mapping file.

TimV · April 5, 2017, 1:51am

The admin role isn't listed there, which implies that your role_mapping file isn't working.

role_mapping: "CONFIG_DIR/x-pack/role_mapping.yml"

This probably isn't what you want - that's not a path that X-Pack can understand and unfortunately the system doesn't report an error if it can't find the file.

Just remove the files.role_mapping section entirely from your config. role_mapping.yml is the default filename, so there's no pointing specifying it explicitly.

Then, try again, and look for DEBUG messages from DnRoleMapper
Those messages will tell you how many entries the role mapper finds, and how they are being applied to your user.

Fabien · April 5, 2017, 8:09am

Hello TimV,

Thank your for your answer.

I already tried to remove files.role_mapping but it didn't work.
I think it doesn't find role_mapping.yml because I have these logs:

[2017-04-05T09:36:51,480][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [Z7NT4T5] the roles [[]], are mapped from  
the user [CN=Fabien User,OU=SI,OU=EXEMPLE,OU=FR,OU=GROUP,DC=directory,DC=exemple-group,DC=com] 
for realm [active_directory/active_directory]

[2017-04-05T09:30:02,462][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [Z7NT4T5] the roles [[]], are mapped from these [active_directory] groups [[CN=GG_USER_EXEMPLE1,OU=ALFRESCO,OU=APPLICATIONS,DC=directory,DC=exemple-group,DC=com, CN=GG_USER_EXEMPLE2,OU=ALFRESCO,OU=APPLICATIONS,DC=directory,DC=exemple-group,DC=com, CN=GG_USER_EXEMPLE3,OU=ALFRESCO,OU=APPLICATIONS,DC=directory,DC=exemple-group,DC=com, CN=GG_USER_EXEMPLE4,OU=ALFRESCO,OU=APPLICATIONS,DC=directory,DC=exemple-group,DC=com]]

And I tried with this in role_mapping.yml

admin:
    - "CN=Fabien User,OU=SI,OU=EXEMPLE,OU=FR,OU=GROUP,DC=directory,DC=exemple-group,DC=com"

However, I tried to move the file role_mapping.yml's directory and configure files.role_mapping like this:

files:
    role_mapping: "config/role_mapping.yml"

But it didn't work.

Do you think it found role_mapping.yml ? Or maybe it's the configuration of my roles in this file (I try à lot of map).

Thank you

system · May 3, 2017, 8:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.