Hi,
I'm trying out AD authentication and managed to get it working when I map a group to the superuser role, however when i create a new mapping and map it to a role that has less privileges, i always get the following error
$ curl -XGET -u elasticuser@somedomain.co.uk:password! "http://elastic1:9200/products/_search"
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [elasticuser@somedomain.co.uk]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [elasticuser@somedomain.co.uk]"},"status":403}
The test user is in a the ElasticUsers group and I have this role_mapping in place
"mapping1" : {
"enabled" : true,
"roles" : [
"test_role1",
"kibana_user"
],
"rules" : {
"field" : {
"groups" : "CN=ElasticUsers,OU=ElasticGroups,OU=Elasticsearch,DC=somedomain,DC=co,DC=uk"
}
},
"metadata" : { }
}
}
Admins have this mapping
{
"mapping2" : {
"enabled" : true,
"roles" : [
"superuser"
],
"rules" : {
"field" : {
"groups" : "CN=ElasticAdmins,OU=ElasticGroups,OU=Elasticsearch,DC=somedomain,DC=co,DC=uk"
}
},
"metadata" : { }
}
}
Here's my elasticsearch.yml realm settings
#AD realm
xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: somedomain.co.uk
url: ldap://AS-server:389
bind_dn: elasticldap@somedomain.co.uk
bind_password: password
group_search:
base_dn: "OU=ElasticGroups,OU=Elasticsearch,DC=somedomain,DC=co,DC=uk"
follow_referrals: false
Any ideas as to why it's working for users in the ElasticAdmins group, but not for the ElasticUsers group?
Thanks