Active Directory Role Mapping in the role_mapping.yml file


(Anand Jain) #1

Hi,

I am trying to configure and setup Active Directory(AD) groups in the role_mapping.yml file for e.g. as shown below:

monitoring:

  • "CN=Demo User1,OU=InformationTechnology,OU=Users,DC=example,DC=com"
  • "CN=ESSuperAdmin,OU=ElasticStack,OU=ApplicationsDev,DC=example,DC=com"

superuser:

  • "CN=ESSuperAdmin,OU=ElasticStack,OU=ApplicationsDev,DC=example,DC=com"

admin:

  • "CN=ESAdmin,OU=ElasticStack,OU=ApplicationsDev,DC=example,DC=com"

I am a member of 'ESSuperAdmin' group in AD and when I login to https://localhost:5601/app/kibana and click on monitoring, I get access denied error message saying the user is not authorized.

How can I fix this issue, what am I doing wrong here?

Regards,
Anand


(Ioannis Kakavas) #2

Hi there,

The way forward would be to enable DEBUG logging and see what groups AD reports back that you belong in, and if something goes wrong with the mapping to roles, or even with the connection to AD. In order to do so

  1. Please share your AD realm configuration in elasticsearch.yml

  2. Enable debug logging:

    curl -uelastic -XPUT 'http://localhost:9200/_cluster/settings?pretty' -H 'Content-Type: 
    application/json' -d'
    {
      "transient": {
        "logger.org.elasticsearch.xpack.security.authc.ldap": "DEBUG"
      }
    }
    '
    
  3. and then attempt to authenticate with your AD user

    curl -u <user> 'http://localhost:9200/_xpack/security/_authenticate?pretty'
    

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.