Hi all. I'm stuck with this active-directory auth to kibana via AD creds.
When I'm trying to enable auth in kibana, after login i got a message - {"statusCode":403,"error":"Forbidden","message":"Forbidden"}.
I added my realm via - bin/elasticsearch-keystore add xpack.security.authc.realms.active_directory.my_ad.secure_bind_password. (file based role not working for me for some reason)
i also checking the ability to login via - curl -k -u ad_user@example.com:password 'http://127.0.0.1:9200/_xpack/security/_authenticate?pretty' and it works.
ldapsearch tool also give me a correct answer.
I also added role_mapping via API
curl -X PUT "localhost:9200/_security/role_mapping/admins?pretty" -H 'Content-Type: application/json' -d'
{
"roles" : [ "monitoring" , "user" ],
"rules" : { "field" : {
"groups" : "cn=ad_user,dc=example,dc=com"
} },
"enabled": true
}'
But still, i get forbidden message and errors in apm-server (503)
Please help me fix this issue. BTW what is the difference between realms active-directory and ldap?
my env is: AD - windows 2012
elastic stack - elasticsearch 7.8, kibana 7.8, apm-server 7.8, Ubuntu 18.04 x64.
elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 127.0.0.1
xpack.license.self_generated.type: trial
xpack.security.enabled: true
xpack:
security:
authc:
realms:
active_directory:
my_ad:
order: 0
domain_name: example.com
url: ldap://example.com:389
#files:
# role_mapping: "/etc/elasticsearch/role_mapping.yml"
kibana.yml
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
apm-server.yml
apm-server:
# Defines the host and port the server is listening on. Use "unix:/path/to.sock" to listen on a unix domain socket.
host: "0.0.0.0:8200"
max_event_size: 1000000
# token configured for other endpoints.
rum:
enabled: true
kibana:
enabled: true
host: "localhost:5601"
queue:
mem:
events: 8192
#-------------------------- Elasticsearch output --------------------------
output.elasticsearch:
hosts: ["localhost:9200"]
# Available log levels are: error, warning, info, or debug.
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/apm-server
# The name of the files where the logs are written to.
name: apm-server
rotateeverybytes: 104857600
Here is record from elastic logs.
[2020-06-29T15:22:11,673][WARN ][o.e.x.s.a.AuthenticationService] [sv-] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=32 (no such object), errorMessage='0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=example,DC=com'
', matchedDN='DC=example,DC=com', ldapSDKVersion=4.0.8, revision=28812))