Active Directory integration

Hi, Community.

Here is elasticsearch.yml:
shield.authc.realms.esusers.type: esusers shield.authc.realms.esusers.order: 0 shield.authc.realms.esusers.enabled: true

shield.authc.realms.active_directory1.type: active_directory shield.authc.realms.active_directory1.order: 1 shield.authc.realms.active_directory1.domain_name: ad_hostname1 shield.authc.realms.active_directory1.url: ldaps://ad_hostname1:636 shield.authc.realms.active_directory1.enabled: true shield.authc.realms.active_directory1.hostname_verification: false

shield.authc.realms.active_directory2.type: active_directory shield.authc.realms.active_directory2.order: 2 shield.authc.realms.active_directory2.domain_name: ad_hostname2 shield.authc.realms.active_directory2.url: ldaps://ad_hostname2:636 shield.authc.realms.active_directory2.enabled: true shield.authc.realms.active_directory2.hostname_verification: false

shield.ssl.keystore.path: /elasticsearch/config/shield/node01.jks shield.ssl.keystore.password: 123abc shield.ssl.keystore.key_password: 123abc

Here is role_mapping.yml:
`user:

  • "cn=elastic,ou=Service,ou=users,ou=xxxx,dc=yyyy,dc=zzzz,dc=vvvv"`

Here is roles.yml:
user: indices: 'logstash*': privileges: read

When i'm trying to authorize in ES (when checking cluster availability for example) I'm getting error as follows:
[2016-01-06 04:46:51,361][WARN ][shield.authc.activedirectory] [elastic_host1] authentication failed for user [elastic]: unable to authenticate user [elastic] to active directory domain [ad_hostname1] cause: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772 [2016-01-06 04:46:51,374][WARN ][shield.authc.activedirectory] [elastic_host1] authentication failed for user [elastic]: unable to authenticate user [elastic] to active directory domain [ad_hostname2] cause: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772

Keystore was created as per https://www.elastic.co/guide/en/shield/current/active-directory.html#active-directory-ssl

Any thoughts why unable to authenticate user?

The error codes indicate that the username was not found. Are ad_hostname1 and ad_hostname2 the DNS names of the servers or are they the domain name and you have two separate domains?

If they are server hostnames/DNS entries (for example ad1.mycompany.com), you need to change the value of the domain_name setting to just the domain name (mycompany.com) and not the active directory server's hostname.

Hi Jay,
These are two separate domains. The second one is a failover in case first one is out of service.

The users will exist in both domains? The ActiveDirectory integration works by using the userPrincipalName to bind. In your configuration that would be constructed as elastic@ad_hostname1 and elastic@ad_hostname2. Are you able to check the active directory logs for information about why the request fails if this is the correct user principal name?

Hi Jay,
Thank you for clarifying this. You were right here.