Active Directory Role Mappings to Groups

AClerk · June 11, 2020, 5:56am

Hey,
I am trying to map roles to AD groups. But can't get it working.

I tried the following

PUT /_security/role_mapping/Lvl-3
{
  "roles" : [ "Level_3" ],
  "rules" : { "field" : { "groups" : "OU=Ops_Intel_Groups,OU=Accounts_Groups,CN=Lvl-3,DC=DOMAIN,DC=local" } },
  "enabled": true
}

I tried with upper case and lower case. i.e. OU/ou, CN/cn, etc.

This is the AD structure/hierarchy
AD_Structure

Under Ops_Intel_Groups there are a few security groups and one of them is Lvl-3
AD_Groups

This is elasticsearch.yml

xpack.security.authc.realms:
  active_directory.active_directory_1:
    order: 0
    enabled: true
    domain_name: "DOMAIN.local"
    url: ["ldaps://server1:636", "ldaps://server2:636", "ldaps://server3:636", "ldaps://server4:636", "ldaps://server5:636", "ldaps://server6:636"]
    load_balance.type: failover
    ssl.certificate_authorities: ["pem.pem"]
    ssl.verification_mode: certificate

Anything missing? or maybe wrong syntax?

When I map a single user to a role, it works fine. The issue is with AD groups.

Thanks!

AClerk · June 11, 2020, 6:35am

In the log I see the following

[2020-06-11T16:26:15,081][DEBUG][o.e.x.s.a.AuthenticationService]
[SERVER] Authentication of [myuser@domain.local] 
using realm [active_directory/active_directory_1] 
with token [UsernamePasswordToken] 
was [AuthenticationResult{status=SUCCESS, ...
...
...
}]

status=SUCCESS??

Then I get

{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

system · July 9, 2020, 6:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.