Active Directory Role Mapping in the role_mapping.yml file

stargate · May 3, 2018, 4:18am

Hi,

I am trying to configure and setup Active Directory(AD) groups in the role_mapping.yml file for e.g. as shown below:

monitoring:

"CN=Demo User1,OU=InformationTechnology,OU=Users,DC=example,DC=com"
"CN=ESSuperAdmin,OU=ElasticStack,OU=ApplicationsDev,DC=example,DC=com"

superuser:

"CN=ESSuperAdmin,OU=ElasticStack,OU=ApplicationsDev,DC=example,DC=com"

admin:

"CN=ESAdmin,OU=ElasticStack,OU=ApplicationsDev,DC=example,DC=com"

I am a member of 'ESSuperAdmin' group in AD and when I login to https://localhost:5601/app/kibana and click on monitoring, I get access denied error message saying the user is not authorized.

How can I fix this issue, what am I doing wrong here?

Regards,
Anand

ikakavas · May 3, 2018, 5:24am

Hi there,

The way forward would be to enable DEBUG logging and see what groups AD reports back that you belong in, and if something goes wrong with the mapping to roles, or even with the connection to AD. In order to do so

Please share your AD realm configuration in elasticsearch.yml

Enable debug logging:

curl -uelastic -XPUT 'http://localhost:9200/_cluster/settings?pretty' -H 'Content-Type: 
application/json' -d'
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc.ldap": "DEBUG"
  }
}
'

and then attempt to authenticate with your AD user

curl -u <user> 'http://localhost:9200/_xpack/security/_authenticate?pretty'

system · May 31, 2018, 5:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.