Active Directory Authentication

Hello There.
I am having a problem connecting elastic stack to Active Directory. I can browse at LdapSoft AD browser but I cannot login to kibana with it. I copy the dn and put it in to my role mappings but I cannot login. And I am not able to troubleshoot. How can I authenticate with AD?

Hi,
The screenshot you added is about mapping a group or user to a role called superuser which are involved after authentication, you mention you can't connect to AD
What error are you getting when you try to login with the user or what error do you see in the logs? Is that a permission error - or is the credential not recognised?

-> If you get a permission error, then the AD connection is ok and you should check that you have created a role called "superuser" (GET /_xpack/security/role)

-> If you get an error related to the credentials not recognised, then the issue is connection to AD and the only file to look at for this is elasticsearch.yml if you can send the pack.security.authc.realms section.
What I would always recommend to use the same settings you have used for the Active Directory realm with Apache Directory Studio, this will quickly enable you to find the right connection parameters to the AD domain controller. This will also help you with user mapping afterwards which should only be looked at once user authentic and you start seeing errors related to permissions to perform some actions

Hope this helps

1 Like

Hi,

We have similar issue when anonymous binding was disabled on Active Directory level.
Currently X-Pack AD realm don't support a BIND user.
In our case after changing AD to LDAP realm Active Directory integration started to work correctly.

Regards
Ewa

1 Like

Hey there thanks for your response.

This is the log in terminal right now.

Guess it is an SSL problem but I am not quite sure what I did miss.
Would you have any idea?

Yes you are absolutely right, peer not authenticated means your ssl certificate is not valid against the domain controller you are connecting to in ldaps protocol

A few things I would try:

  • Apache Directory Studio : Just connect using the same parameters, if you use ldaps it will likely automatically download a certificate which you might be able to export from that tool and then use in your elasticsearch.yml... You can also try afterwards with the certificate in preferences - Apache Directory Studio / Connections / Certificate Validation
  • ldap instead of ldaps - if you are allowed to test this, test without ssl and make sure this works. Then amend to the ssl port adding a valid certificate

I advise for Apache Directory Studio but other ldap clients may do as well - it will be much faster to check everything in such a client as you'll get any error directly from the client... Hope this helps

1 Like

Hey there I ve done as you said with the Apache Directory Studio. That error is fixed. But it still gives another error. The authentication is complete. But it gives an authorization error even though I mapped the user to the superuser role.

Hi,

This error means that the CN of the user or group in role_mapping.yml is not mapped to any role providing permission to write/update data for the index

So you need to ensure you defined the appropriate role (you can use management / security / role in kibana which is the easiest, or the role API, or define manually in role.yml),
then check you role_mapping.yml maps the role to the CN of the user of the CN of the group it belongs to.

Use value of attribute distinguishedName for the user or the group, role_mapping.yml may look like this if you map the user:
your_role_name:

  • "cn=groupname,ou=support,dc=ad,dc=example,dc=com"

Have a look at this training, it will explain about role definition and more concepts around security : https://www.elastic.co/training/x-pack-security

1 Like

The problem was I was role mapping in kibana/x-pack/config not in elasticsearch/x-pack/config.
Now it works like a charm.
Thanks for the help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.