Can't setup active-directory auth

Hi all. I'm stuck with this active-directory auth to kibana via AD creds.

When I'm trying to enable auth in kibana, after login i got a message - {"statusCode":403,"error":"Forbidden","message":"Forbidden"}.

I added my realm via - bin/elasticsearch-keystore add xpack.security.authc.realms.active_directory.my_ad.secure_bind_password. (file based role not working for me for some reason)

i also checking the ability to login via - curl -k -u ad_user@example.com:password 'http://127.0.0.1:9200/_xpack/security/_authenticate?pretty' and it works.

ldapsearch tool also give me a correct answer.

I also added role_mapping via API

curl -X PUT "localhost:9200/_security/role_mapping/admins?pretty" -H 'Content-Type: application/json' -d'
{
  "roles" : [ "monitoring" , "user" ],
  "rules" : { "field" : {
    "groups" : "cn=ad_user,dc=example,dc=com" 
  } },
  "enabled": true
}'

But still, i get forbidden message and errors in apm-server (503)

Please help me fix this issue. BTW what is the difference between realms active-directory and ldap?

my env is: AD - windows 2012
elastic stack - elasticsearch 7.8, kibana 7.8, apm-server 7.8, Ubuntu 18.04 x64.

elasticsearch.yml

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 127.0.0.1

xpack.license.self_generated.type: trial
xpack.security.enabled: true

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: example.com
            url: ldap://example.com:389
            #files:
            #  role_mapping: "/etc/elasticsearch/role_mapping.yml"

kibana.yml

server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]

apm-server.yml

apm-server:
  # Defines the host and port the server is listening on. Use "unix:/path/to.sock" to listen on a unix domain socket.
  host: "0.0.0.0:8200"
  max_event_size: 1000000
  # token configured for other endpoints.
  rum:
    enabled: true


  kibana:
    enabled: true
    host: "localhost:5601"

queue:
  mem:
    events: 8192

#-------------------------- Elasticsearch output --------------------------
output.elasticsearch:
  hosts: ["localhost:9200"]

# Available log levels are: error, warning, info, or debug.
logging.level: info


logging.to_files: true
logging.files:
  path: /var/log/apm-server

  # The name of the files where the logs are written to.
  name: apm-server

  rotateeverybytes: 104857600

Here is record from elastic logs.

[2020-06-29T15:22:11,673][WARN ][o.e.x.s.a.AuthenticationService] [sv-] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=32 (no such object), errorMessage='0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=example,DC=com'
', matchedDN='DC=example,DC=com', ldapSDKVersion=4.0.8, revision=28812))