Cannot get AD auth to work with Trial license

Elastic Stack Elasticsearch
1

Hi, I am trying to setup Active Directory authentication for my elastic 7.80 stack.
The steps i've taken:

  1. Enable trial license
  2. Put my ldaps certificate in /etc/elasticsearch/ad-ca.pem
  3. Configure ldaps realm in elasticsearch.yml:
xpack.security.authc.realms:
  active_directory:
   myad:
     order: 0
     domain_name: company.com
     url: ldaps://company.com:636
     ssl:
        verification_mode: certificate
        certificate_authorities: ["/etc/elasticsearch/ad-ca.pem"]
  1. Configure my role mapping in role_mapping.yml:
superuser:
- "cn=myteam,ou=DGroups,ou=Groups,ou=BE,dc=company,dc=com"

However authentication will always fail for AD credentials when I try it locally on the machine:

curl --cacert ~/ca.pem –u ‘user:pass’ https://127.0.0.1:9200/

{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [user]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [user]"},"status":403}

But when I try this PowerShell cmdleton my work laptop, the query should work since this lists all my colleagues:

Get-ADUser -LDAPFilter '(memberof=cn=myteam,ou=DGroups,ou=Groups,ou=BE,dc=company,dc=com)'
...

I have the same issue if I use memberOf in role_mapping.yml:

superuser:
- "(memberOf=cn=myteam,ou=DGroups,ou=Groups,ou=BE,dc=company,dc=com)"
2

I just noticed that we do not have security groups in our AD, but only distribution groups.
So I'ld like to supply queries for separate users instead.

When trying a user query, this also does not work:

superuser:
- "cn=myuser,ou=department,ou=Users,ou=BE,dc=company,dc=com"
3

See here , we only support security groups for authorization purposes, not distribution groups

4

We need more information than that. What behaviour do you see?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.