Active Directory Authentication for ES and Kibana

Elastic Stack Elasticsearch
1

Hello. Firstly I would like to apologize if this is the wrong section, but reading through the various older topics it seems that the process of logging to Kibana via AD is managed via ES so you need to configure ES correctly.

So, following the official guide, I have added this to my elasticsearch.yml:

  discovery.type: single-node
   xpack.security.enabled: true
   #------------------------------------x-pack-----------------------------------
   xpack:
     security:
       authc:
         realms:
           active_directory:
             my_ad:
               order: 0
               domain_name: AD-example.local
               url: ldap://AD-example.local:636
               bind_dn: admin.user@AD-example.local

I have also used this code to add a group:


    PUT /_security/role_mapping/admins
    {
      "roles" : [ "monitoring" , "user" ],
      "rules" : { "field" : {
        "groups" : "cn=admins,dc=example,dc=com" 
      } },
      "enabled": true
    }

However, I am not able to login using my AD user. Can you suggest to me what I do wrong?
My end goal is to authenticate kibana access via AD, and then also depending on the user/group give different roles(i.e if you are on the group "AD2" you only have access to indexes AD2*)

If you need any more info from me, please feel free to tell me so I can provide you with more info

Thank you in advance

2

This doesn't add a group anywhere. It just says that if a user authenticates and they are members of the cn=admins,dc=example,dc=com group in your AD, they should get the monitoring and the user roles ( are you sure you don't mean monitoring_user ? )

What is the error you get? What is there in the logs ?

3

Hello and thank you for your response.

So for your second point, the error I got is this:(after tailing elastic log, in /var/log/elasticsearch):

[2020-03-24T10:59:34,298][WARN ][o.e.x.s.a.AuthenticationService] [main.node] Authentication failed using realms [reserved/reserved,file/default_file,native/default_native]. Realms [active_directory/my_ad] were skipped because they are not permitted on the current license

Now the error is mentioning something about licensing. I did not mention that I am using the free version of ES that comes with xpack and some features(like SSL). I am assuming AD authentication is also supported on the free xpack?

About the Group code, thank you for your insight. So if I want to give a specific role to a group(let's say my_role) I can just use:
"roles" : [ "my_role"],

and they will automatically get assigned this role.

UPDATE: I also noticed in the error log the usage of my_ad that it comes from this command:
bin/elasticsearch-keystore add \ xpack.security.authc.realms.active_directory.my_ad.secure_bind_password

I just copied and pasted this command without changing anything, don't know if it was the correct procedure.

4

No and the error message states exactly that. See also section Elastic Stack security in Subscriptions | Elastic Stack Products & Support | Elastic

You can start a trial license if you want that would allow you to test for 30 days but not go to production with it. See Start trial API | Elasticsearch Guide [8.11] | Elastic

Always, always, always share the exact error message from the logs and not your interpretation of it or why you think it is there.

Copy pasting things around is almost never the correct procedure :slight_smile: , unless you are replicating an existing identical setup. Again, once you tell us what the error is, we can suggest how you can fix it

5

Hello. You are absolutely right about the error message. For better or worse, this is the only error message I am getting, so the "error" at this point is the license I have chosen. We need to review it and either upgrade or find anotherway to authenticate with AD.

Thank you for your help so far. Stay safe!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.