Cannot get AD auth to work with Trial license

Hi, I am trying to setup Active Directory authentication for my elastic 7.80 stack.
The steps i've taken:

  1. Enable trial license
  2. Put my ldaps certificate in /etc/elasticsearch/ad-ca.pem
  3. Configure ldaps realm in elasticsearch.yml:
xpack.security.authc.realms:
  active_directory:
   myad:
     order: 0
     domain_name: company.com
     url: ldaps://company.com:636
     ssl:
        verification_mode: certificate
        certificate_authorities: ["/etc/elasticsearch/ad-ca.pem"]
  1. Configure my role mapping in role_mapping.yml:
superuser:
- "cn=myteam,ou=DGroups,ou=Groups,ou=BE,dc=company,dc=com"

However authentication will always fail for AD credentials when I try it locally on the machine:

curl --cacert ~/ca.pem –u ‘user:pass’ https://127.0.0.1:9200/

{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [user]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [user]"},"status":403}

But when I try this PowerShell cmdleton my work laptop, the query should work since this lists all my colleagues:

Get-ADUser -LDAPFilter '(memberof=cn=myteam,ou=DGroups,ou=Groups,ou=BE,dc=company,dc=com)'
...

I have the same issue if I use memberOf in role_mapping.yml:

superuser:
- "(memberOf=cn=myteam,ou=DGroups,ou=Groups,ou=BE,dc=company,dc=com)"

I just noticed that we do not have security groups in our AD, but only distribution groups.
So I'ld like to supply queries for separate users instead.

When trying a user query, this also does not work:

superuser:
- "cn=myuser,ou=department,ou=Users,ou=BE,dc=company,dc=com"

See here , we only support security groups for authorization purposes, not distribution groups

We need more information than that. What behaviour do you see?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.