Hello. Firstly I would like to apologize if this is the wrong section, but reading through the various older topics it seems that the process of logging to Kibana via AD is managed via ES so you need to configure ES correctly.
So, following the official guide, I have added this to my elasticsearch.yml:
However, I am not able to login using my AD user. Can you suggest to me what I do wrong?
My end goal is to authenticate kibana access via AD, and then also depending on the user/group give different roles(i.e if you are on the group "AD2" you only have access to indexes AD2*)
If you need any more info from me, please feel free to tell me so I can provide you with more info
This doesn't add a group anywhere. It just says that if a user authenticates and they are members of the cn=admins,dc=example,dc=com group in your AD, they should get the monitoring and the user roles ( are you sure you don't mean monitoring_user ? )
What is the error you get? What is there in the logs ?
So for your second point, the error I got is this:(after tailing elastic log, in /var/log/elasticsearch):
[2020-03-24T10:59:34,298][WARN ][o.e.x.s.a.AuthenticationService] [main.node] Authentication failed using realms [reserved/reserved,file/default_file,native/default_native]. Realms [active_directory/my_ad] were skipped because they are not permitted on the current license
Now the error is mentioning something about licensing. I did not mention that I am using the free version of ES that comes with xpack and some features(like SSL). I am assuming AD authentication is also supported on the free xpack?
About the Group code, thank you for your insight. So if I want to give a specific role to a group(let's say my_role) I can just use: "roles" : [ "my_role"],
and they will automatically get assigned this role.
UPDATE: I also noticed in the error log the usage of my_ad that it comes from this command: bin/elasticsearch-keystore add \ xpack.security.authc.realms.active_directory.my_ad.secure_bind_password
I just copied and pasted this command without changing anything, don't know if it was the correct procedure.
Always, always, always share the exact error message from the logs and not your interpretation of it or why you think it is there.
Copy pasting things around is almost never the correct procedure , unless you are replicating an existing identical setup. Again, once you tell us what the error is, we can suggest how you can fix it
Hello. You are absolutely right about the error message. For better or worse, this is the only error message I am getting, so the "error" at this point is the license I have chosen. We need to review it and either upgrade or find anotherway to authenticate with AD.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.