Active Directory integration

bibikmik · January 6, 2016, 10:22am

Hi, Community.

Here is elasticsearch.yml:
shield.authc.realms.esusers.type: esusers shield.authc.realms.esusers.order: 0 shield.authc.realms.esusers.enabled: true

shield.authc.realms.active_directory1.type: active_directory shield.authc.realms.active_directory1.order: 1 shield.authc.realms.active_directory1.domain_name: ad_hostname1 shield.authc.realms.active_directory1.url: ldaps://ad_hostname1:636 shield.authc.realms.active_directory1.enabled: true shield.authc.realms.active_directory1.hostname_verification: false

shield.authc.realms.active_directory2.type: active_directory shield.authc.realms.active_directory2.order: 2 shield.authc.realms.active_directory2.domain_name: ad_hostname2 shield.authc.realms.active_directory2.url: ldaps://ad_hostname2:636 shield.authc.realms.active_directory2.enabled: true shield.authc.realms.active_directory2.hostname_verification: false

shield.ssl.keystore.path: /elasticsearch/config/shield/node01.jks shield.ssl.keystore.password: 123abc shield.ssl.keystore.key_password: 123abc

Here is role_mapping.yml:
`user:

"cn=elastic,ou=Service,ou=users,ou=xxxx,dc=yyyy,dc=zzzz,dc=vvvv"`

Here is roles.yml:
user: indices: 'logstash*': privileges: read

When i'm trying to authorize in ES (when checking cluster availability for example) I'm getting error as follows:
[2016-01-06 04:46:51,361][WARN ][shield.authc.activedirectory] [elastic_host1] authentication failed for user [elastic]: unable to authenticate user [elastic] to active directory domain [ad_hostname1] cause: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772 [2016-01-06 04:46:51,374][WARN ][shield.authc.activedirectory] [elastic_host1] authentication failed for user [elastic]: unable to authenticate user [elastic] to active directory domain [ad_hostname2] cause: com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772

Keystore was created as per https://www.elastic.co/guide/en/shield/current/active-directory.html#active-directory-ssl

Any thoughts why unable to authenticate user?

jaymode · January 6, 2016, 11:58am

The error codes indicate that the username was not found. Are ad_hostname1 and ad_hostname2 the DNS names of the servers or are they the domain name and you have two separate domains?

If they are server hostnames/DNS entries (for example ad1.mycompany.com), you need to change the value of the domain_name setting to just the domain name (mycompany.com) and not the active directory server's hostname.

bibikmik · January 6, 2016, 12:18pm

Hi Jay,
These are two separate domains. The second one is a failover in case first one is out of service.

jaymode · January 6, 2016, 1:37pm

The users will exist in both domains? The ActiveDirectory integration works by using the userPrincipalName to bind. In your configuration that would be constructed as elastic@ad_hostname1 and elastic@ad_hostname2. Are you able to check the active directory logs for information about why the request fails if this is the correct user principal name?

bibikmik · January 11, 2016, 12:56pm

Hi Jay,
Thank you for clarifying this. You were right here.