Can´t authenticate against Active Directory

I've installed elk stack from repo packages on Centos 7.7. I´ve successfully started collecting data with metric beat and filebeat. But I can´t authenticate against active directory

I tested with openldaptools from the server I have elastic, and can authenticate and query de AD server.

On the elastic.yml file I've added

 xpack.security.enabled: true

xpack:
  security:
    authc:
      realms:
        active_directory:
          poc_ad:
            order: 0
            enabled: true
            domain_name: "poc.net"
            bind_dn: "CN=ldapdesa,CN=Users,DC=poc,DC=net"
            bind_password: "SuperSecret"
            url: ldap://srvad01:389, ldap://srvad02:389
            user_search:
              base_dn: "CN=Users,DC=poc,DC=net"
              scope: "sub_tree"
              filter: "(&(objectClass=user)(userPrincipalName={0}))"
            load_balance:
              type: "failover"

I've also tested with curl against the API, had no success.

Can you please share some logs from elasticsearch? What are you trying to use as a username when you authenticate? Does that user exist in your Active Directory ?

Answering your questions

  • I use as username the same login name I use to autenticate on Workstations. The LDAP attribute is samAccount, the same value is loaded in userPrincipalName . I type username in the textbox

  • Yes the user exists. I use it daily for login into my workstation. I also installed in the ELK server the OpenLDAP tools. With them I've made manual logins, communications and firewall issues are descarded.

  • I had TCPDUMP running during the tests, when I've autenticated nothing happens. When I run command line autentication I see traffic from the server to the DC.

Which log do you need?

I use as username

elasticsearch.log located in /var/log/elasticsearch

Can you remove

              filter: "(&(objectClass=user)(userPrincipalName={0}))"

from your configuration , restart elasticsearch and try again ? The default filter value should cover your use case adequately.