AD User and AD Group in Single Role Mapping

Is it possible to have a role mapping that targets an AD group as well as a single AD user? I am trying the following code from DEV Tools, but can't get it work. I have only been able to get a list of groups to work and a list of users (dn's), not a combo of the two in a role mapping. Thoughts?

PUT /_security/role_mapping/exchange_ad
{
  "roles" : [ "exchange_ad","kibana_user", "monitoring_user", "reporting_user" ],
  "rules" : {
      { "field" : { "dn" : "CN=chirilloj,OU=Active,OU=UMAD\ Users,DC=my,DC=domain,DC=com" } },
      { "field" : { "groups" : "CN=UM\ -\ IT\ Email\ Server\ Team,CN=Users,DC=my,DC=domain,DC=com" } }
  },
  "enabled": true
}

Hi there,

You need to combine your two rules with an any clause, see an example here https://www.elastic.co/guide/en/elasticsearch/reference/7.8/security-api-put-role-mapping.html

Ok. I think my syntax is correct now, with the "any" statement. Does this look correct? Dev Tools does not like it.

PUT /_security/role_mapping/exchange_ad
{
  "roles" : [ "exchange_ad","kibana_user", "monitoring_user", "reporting_user" ],
  "rules" : { "any" : [
      { "field" : { "dn" : "CN=chirilloj,OU=Active,OU=UMAD\ Users,DC=my,DC=domain,DC=com" } },
      { "field" : { "groups" : "CN=UM\ -\ IT\ Email\ Server\ Team,CN=Users,DC=my,DC=domain,DC=com" } }
  ] },
  "enabled": true
}

Red "x" shows bad string.

image1124×211 16.8 KB

Errors from Dev Tools:

image712×648 18.4 KB

I tried double slashes to escape the space, which got the red X to go away, but then dev tools returned:

{
"role_mapping" : {
"created" : false
}
}

Not sure what space you are referring to, but created: false is fine. It just means that if updated the existing exchange_ad role mapping and didn't create a new one.

Ahh, thanks for the info! I checked and both the user and group are listed now. I have to escape out the spaces in the DN Active Directory path.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.