AD authentication not working correctly

wiliamauc85 · April 9, 2019, 10:14am

Hi,

I'm trying out AD authentication and managed to get it working when I map a group to the superuser role, however when i create a new mapping and map it to a role that has less privileges, i always get the following error

$ curl -XGET -u elasticuser@somedomain.co.uk:password!  "http://elastic1:9200/products/_search"
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [elasticuser@somedomain.co.uk]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [elasticuser@somedomain.co.uk]"},"status":403}

The test user is in a the ElasticUsers group and I have this role_mapping in place

  "mapping1" : {
    "enabled" : true,
    "roles" : [
      "test_role1",
      "kibana_user"
    ],
    "rules" : {
      "field" : {
        "groups" : "CN=ElasticUsers,OU=ElasticGroups,OU=Elasticsearch,DC=somedomain,DC=co,DC=uk"
      }
    },
    "metadata" : { }
  }
}

Admins have this mapping

{
  "mapping2" : {
    "enabled" : true,
    "roles" : [
      "superuser"
    ],
    "rules" : {
      "field" : {
        "groups" : "CN=ElasticAdmins,OU=ElasticGroups,OU=Elasticsearch,DC=somedomain,DC=co,DC=uk"
      }
    },
    "metadata" : { }
  }
}

Here's my elasticsearch.yml realm settings

#AD realm
xpack:
  security:
    authc:
      realms:
        active_directory:
          type: active_directory
          order: 0
          domain_name: somedomain.co.uk
          url: ldap://AS-server:389
          bind_dn: elasticldap@somedomain.co.uk
          bind_password: password
          group_search:
            base_dn: "OU=ElasticGroups,OU=Elasticsearch,DC=somedomain,DC=co,DC=uk"
          follow_referrals: false

Any ideas as to why it's working for users in the ElasticAdmins group, but not for the ElasticUsers group?

Thanks

ikakavas · April 9, 2019, 10:49am

Hi there,

You didn't explain exactly what doesn't work. Your error message says that the elasticuser@somedomain.co.uk user doesn't have read privileges in your products index.

Now, you have a role mapping that gives the role test_role1 to users that belong to the CN=ElasticUsers group .
What is the definition of this test_role1 ? Does it give the necessary permissions to the index you need ?

You can check all the roles that the user gets with the Authenticate API :

curl -XGET -u elasticuser@somedomain.co.uk:password!  "http://elastic1:9200/_xpack/security/_authenticate"

this will tell you if the role is mapped to the user or not.

Then, can you share the output of (authenticating as the elastic user, or an AD user that gets the superuser role)

curl -XGET -u elastic:YOURPASSWD  "http://elastic1:9200/_xpack/security/role/test_role1"

this will let us know if the test_role1 definition is correct, as in if it grants the necessary permissions to your users to access what you want them to access

wiliamauc85 · April 9, 2019, 12:42pm

Thanks for the tip, checked and the roles and mappings were correct, I actually managed to found out what the issue was and turns out there was a typo for the ElasticUsers group in AD.
When I corrected the typo, I was able to log into Kibana as the the elasticuser

system · May 7, 2019, 12:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.