Hi, I am trying to setup Active Directory authentication for my elastic 7.80 stack.
The steps i've taken:
- Enable trial license
- Put my ldaps certificate in /etc/elasticsearch/ad-ca.pem
- Configure ldaps realm in elasticsearch.yml:
xpack.security.authc.realms:
active_directory:
myad:
order: 0
domain_name: company.com
url: ldaps://company.com:636
ssl:
verification_mode: certificate
certificate_authorities: ["/etc/elasticsearch/ad-ca.pem"]
- Configure my role mapping in role_mapping.yml:
superuser:
- "cn=myteam,ou=DGroups,ou=Groups,ou=BE,dc=company,dc=com"
However authentication will always fail for AD credentials when I try it locally on the machine:
curl --cacert ~/ca.pem –u ‘user:pass’ https://127.0.0.1:9200/
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [user]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [user]"},"status":403}
But when I try this PowerShell cmdleton my work laptop, the query should work since this lists all my colleagues:
Get-ADUser -LDAPFilter '(memberof=cn=myteam,ou=DGroups,ou=Groups,ou=BE,dc=company,dc=com)'
...
I have the same issue if I use memberOf
in role_mapping.yml
:
superuser:
- "(memberOf=cn=myteam,ou=DGroups,ou=Groups,ou=BE,dc=company,dc=com)"