Can't join elastic to microsoft active directory ldap

Indeed2000 · February 26, 2023, 8:39am

Hi

ldap users can't login on kibana:

here is the log when user attempt to login:
Feb 26 11:55:21 logdev kibana[1784685]: [2023-02-26T11:55:21.243+03:30][INFO ][plugins.security.routes] Logging in with provider "basic" (basic)

I add below config in elasticsearch.yml and restart elastic service but ldap users still can't login.

xpack:
  security:
    authc:
      realms:
        ldap:
          ldap1:
            order: 0
            url: "ldap://192.168.1.1:389"
            bind_dn: "cn=users,dc=corp,dc=net"
            user_search:
              base_dn: "dc=corp,dc=net"
              filter: "(cn={0})"
            group_search:
              base_dn: "dc=corp,dc=net"
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"
            unmapped_groups_as_roles: false

/etc/elasticsearch/role_mapping.yml

superusers:
  - "cn=users,dc=corp,dc=net"
user:
  - "cn=users,dc=corp,dc=net"

also add role mapping in kibana:

Any idea?
Thanks

stephenb · February 26, 2023, 4:25pm

Did you configure Kibana as well Here and Here as well ... there are both Elasticsearch and Kibana configurations

Indeed2000 · February 27, 2023, 1:17pm

@stephenb
would you please give me example of this part of config file

I add this part in kibana.yml

xpack.security.authc.providers:
  saml.saml1:
    order: 0
    realm: ldap1
    description: "Log in with my SAML"
  basic.basic1:
    order: 1

but got below error:

stephenb · February 27, 2023, 4:02pm

Hi @Indeed2000

Unfortunately, I am not a SAML expert.

What I would do is make sure the Elasticsearch configuration working first.

What I mean setup the elasticsearch portion of the LDAP
Start Elasticsearch and make sure there are no errors in the logs
Then use a tool like Postman POST / GET and API request into Elasticsearch using the API like a simple search.
If it fails look closely at the error and continue to fix the configuration.
When I experimented in the past I often found the filters etc were the issue If I recall
example looking at your vs my old sample the user filter was

ldap1.user_search.base_dn: "dc=example,dc=com"
ldap1.user_search.filter: "(uid={0})"

THEN if that works move on to the Kibana part ...

And on the Kibana side see here

so you should not be using SAML in Kibana In fact you may have had Kibana correct before you changed it

Basic authentication
To successfully log in to Kibana, basic authentication requires a username and password. Basic authentication is enabled by default, and is based on the Native, LDAP, or Active Directory security realm that is provided by Elasticsearch. The basic authentication provider uses a Kibana provided login form, and supports authentication using the Authorization request header Basic scheme.

stephenb · February 27, 2023, 6:04pm

Also are you doing Active Directory here

Or LDAP here

You mention both in your title

AND another important thing, please post the logs from Elasticsearch there is good data ... like I am testing and I got this...

[2023-02-27T10:23:41,220][WARN ][o.e.x.s.a.RealmsAuthenticator] [hyperion] Authentication failed using realms [reserved/reserved,file/default_file,native/default_native]. Realms [ldap/ldap1] were skipped because they are not permitted on the current license

Because I am running a basic license ... LDAP / SAML requires a license...do you have one if not you can turn on a trial license!

And then I forgot to add the bind dn password in the key store

[2023-02-27T10:28:08,600][WARN ][o.e.x.s.a.RealmsAuthenticator] [hyperion] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=89 (parameter error), diagnosticMessage='Simple bind operations are not allowed to contain a bind DN without a password.', ldapSDKVersion=6.0.3, revision=405ee52a554f9867e81d4598a5b2f97beabeb29a))

So I had to run this per the docs

The password for the bind_dn user should be configured by adding the appropriate secure_bind_password setting to the Elasticsearch keystore. For example, the following command adds the password for the example realm above:

bin/elasticsearch-keystore add \ xpack.security.authc.realms.ldap.ldap1.secure_bind_password

stephenb · February 27, 2023, 6:39pm

So Testing against.

This worked for me.

No Changes in Kibana
Need to set trial license Kibana -> Stack Management -> License Management
Added Role Mappings through Kibana Dev Tool

PUT /_security/role_mapping/admin-roles
{
  "enabled": true,
  "roles": [
    "superuser"
  ],
  "rules": {
    "field": {
      "groups": [
        "ou=mathematicians,dc=example,dc=com"
      ]
    }
  },
  "metadata": {}
}

Then stopped Kibana and Elastic
Adding LDAP config in elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        ldap:
          ldap1:
            order: 1
            url: "ldap://ldap.forumsys.com:389"
            bind_dn: "cn=read-only-admin,dc=example,dc=com"
            user_search:
              base_dn: "dc=example,dc=com"
              filter: "(uid={0})"
            group_search:
              base_dn: "dc=example,dc=com"
            unmapped_groups_as_roles: false

Added the bind password

bin/elasticsearch-keystore add xpack.security.authc.realms.ldap.ldap1.secure_bind_password

Then Started Elasticsearch
Then Started Kibana with no Changes
And it worked

Indeed2000 · March 4, 2023, 6:41am

@stephenb need to join elastic to "microsoft active directory"

here is the elastic config:

xpack:
  security:
    authc:
      realms:
        active_directory:
          active_directory1:
            order: 1
            domain_name: domain.net
            url: "ldap://192.168.1.1:389"
            bind_dn: "cn=users,dc=domain,dc=net"
            user_search:
              base_dn: "dc=domain,dc=net"
              filter: "(uid={0})"
            group_search:
              base_dn: "dc=domain,dc=net"
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"
            unmapped_groups_as_roles: false

FYI: add kibana role mapping, but still not worked! would you please give me sample config?

stephenb · March 4, 2023, 4:03pm

If you added role mapping through Kibana Dev Tools you should take that out.

I did above, but without knowing your groups there is no way I can provide a sample
There are many samples here

I would make a very simple role mapping first.

What I would suggest you should try is to just curl and authenticate against elasticsearch and look at the error message that comes back from the curl and in the elastcsearch logs and post them

curl -k -u <user>:<password> https://<elasticip>:9200

Look at the error message that comes back AND also look at the error message in the elasticsearch logs they should be very informative

Indeed2000 · March 5, 2023, 3:31pm

@stephenb saw the page you mentioned and try configuration that exist on that page.
Would you please write simple config here?

FYI: also remove role mapping in config file but not work.
Any idea?

stephenb · March 5, 2023, 3:46pm

I cannot because I don't know your groups!

Use the one above and replace this with your groups

"groups": [
        "ou=mathematicians,dc=example,dc=com" 
  ]

2nd did you run the curl command I asked you too? That will tell a lot, please run the command and show the command and results

What are the results from the command?

What do elasticsearch logs show when you run the command?

Indeed2000 · March 5, 2023, 3:54pm

@stephenb Should consider group? I only need to set OU, that in my case is “users”.

I’ll send you curl result.

Here what show in log:
Feb 26 11:55:21 logdev kibana[1784685]: [2023-02-26T11:55:21.243+03:30][INFO ][plugins.security.routes] Logging in with provider "basic" (basic)

stephenb · March 5, 2023, 3:55pm

Please run the curl command and show the output.

And like I said at the beginning I am not SAML/SSO/LDAP expert on groups etc.

Sure, I guess you can use users that's up to you.

But if you don't do the simple commands I'm asking for, I certainly can't help you.

I'm trying to help you debug elasticsearch first before we even try to configure Kibana.

If that doesn't work, Kibana will never work.. You probably shouldn't need to make any changes Kibana

Indeed2000 · March 6, 2023, 8:10am

Here is the curl result:

[root@logdev]# curl -k --user elastic:'PASS' -X GET "http://localhost:9200?pretty"
{
  "name" : "logdev",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "oFUvdheuTQG3z3z-9SFWUw",
  "version" : {
    "number" : "8.5.3",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "4ed5ee9afac63de92ec98f404ccbed7d3ba9584e",
    "build_date" : "2022-12-05T18:22:22.226119656Z",
    "build_snapshot" : false,
    "lucene_version" : "9.4.2",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

here is the latest config:

xpack:
  security:
    authc:
      realms:
        active_directory:
          active_directory1:
            order: 1
            domain_name: domain.net
            url: "ldap://192.168.1.1:389"
            bind_dn: "cn=users,dc=domain,dc=net"
            user_search:
              base_dn: "dc=domain,dc=net"
              filter: "(uid={0})"
            group_search:
              base_dn: "dc=domain,dc=net"

stephenb · March 6, 2023, 2:53pm

Hi @Indeed2000

Apologies, I was not clear on

I wanted you to run the curl command with one of the AD users, not the elastic local user

Try again...

Indeed2000 · March 7, 2023, 7:23am

@stephenb would you please write your curl command that mention. (to prevent mess up)

I try this command:

[root@logdev]# curl -k --user mydomainuser -X GET "http://localhost:9200?pretty"
Enter host password for user 'mydomainuser':
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "unable to authenticate user [mydomainuser] for REST request [/?pretty]",
        "header" : {
          "WWW-Authenticate" : [
            "Basic realm=\"security\" charset=\"UTF-8\"",
            "ApiKey"
          ]
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "unable to authenticate user [mydomainuser] for REST request [/?pretty]",
    "header" : {
      "WWW-Authenticate" : [
        "Basic realm=\"security\" charset=\"UTF-8\"",
        "ApiKey"
      ]
    }
  },
  "status" : 401
}

Indeed2000 · March 23, 2023, 7:16am

@stephenb any update?

stephenb · March 23, 2023, 2:05pm

Hi @Indeed2000

The curl command looks proper so you got that right.

But it simply not authenticating which means the user and password are not found or incorrect etc.

I do not have a magic way to debug this.

I think the next step is You need to look at the elastic logs at the same time that you run this command.
Probably put the logging level as debug and then run this command and it should provide more information.

system · April 20, 2023, 2:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.