Hi,
I am trying to configure AD realm inorder to authenticate to Elastic search ( version 6.6.1). My elasticsearch.yml and role_mapping.yml looks like below.
elasticsearch.yml:
Xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: ds.dev.accenture.com
url: ldap://amrdc1711.ds.dev.accenture.com:389
bind_dn: adt_ldap@ds.dev.accenture.com
role_mapping.yml :
power_user:
- "CN=ALMADMINDEV,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com"
user:
- "CN=ads.rullas,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com"
ALMADMINDEV is the AD group in DS domain that I am trying to map to, and ads.rullas is a member of that group.
Whenever I try authenticating Elastic search over a browser i.e : http://10.140.7.4:9200/ , I get 403 error. Although in the logs I am not seeing any error :
[2019-12-27T06:48:54,876][DEBUG][o.e.x.s.a.l.ActiveDirectorySessionFactory] [WMDjAWI] Resolving LDAP groups + meta-data for user [CN=ads.rullas,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com]
[2019-12-27T06:48:54,966][DEBUG][o.e.x.s.a.l.ActiveDirectorySessionFactory] [WMDjAWI] group SID to DN [CN=ads.rullas,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com] search filter: [(|(objectSid=S-1-5-21-861567501-413027322-1801674531-4620177)(objectSid=S-1-5-21-861567501-413027322-1801674531-2835479)(objectSid=S-1-5-21-861567501-413027322-1801674531-513)(objectSid=S-1-5-21-861567501-413027322-1801674531-2936633)(objectSid=S-1-5-21-861567501-413027322-1801674531-2835475)(objectSid=S-1-5-21-861567501-413027322-1801674531-4012821))]
[2019-12-27T06:48:55,056][DEBUG][o.e.x.s.a.l.ActiveDirectorySessionFactory] [WMDjAWI] Resolved 6 LDAP groups [[CN=Domain Users,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIO.SmartKeepAlive.HubViewers,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIO.SmartKeepAlive.Viewers,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIORDS.GW.Access,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=AZRSG.CIORDS.DEV.SQL.Access,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=ALMADMINDEV,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com]] for user [CN=ads.rullas,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com]
[2019-12-27T06:48:55,056][DEBUG][o.e.x.s.a.l.ActiveDirectorySessionFactory] [WMDjAWI] Resolved 0 meta-data fields [{}] for user [CN=ads.rullas,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com]
[2019-12-27T06:48:55,057][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [WMDjAWI] the roles [[power_user]], are mapped from these [active_directory] groups [[CN=CIO.SmartKeepAlive.Viewers,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIORDS.GW.Access,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=ALMADMINDEV,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=AZRSG.CIORDS.DEV.SQL.Access,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=Domain Users,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIO.SmartKeepAlive.HubViewers,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com]] using file [role_mapping.yml] for realm [active_directory/active_directory]
[2019-12-27T06:48:55,057][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [WMDjAWI] the roles [[user]], are mapped from the user [cn=ads.rullas,ou=operations,dc=ds,dc=dev,dc=accenture,dc=com] using file [role_mapping.yml] for realm [active_directory/active_directory]
[2019-12-27T06:48:55,057][INFO ][o.e.x.s.a.s.m.NativeRoleMappingStore] [WMDjAWI] The security index is not yet available - no role mappings can be loaded
[2019-12-27T06:48:55,057][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [WMDjAWI] Security Index [.security] [exists: false] [available: false] [mapping up to date: true]
[2019-12-27T06:48:55,057][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [WMDjAWI] Mapping user [UserData{username:ads.rullas; dn:CN=ads.rullas,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com; groups:[CN=CIO.SmartKeepAlive.Viewers,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIORDS.GW.Access,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=ALMADMINDEV,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=AZRSG.CIORDS.DEV.SQL.Access,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=Domain Users,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIO.SmartKeepAlive.HubViewers,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com]; metadata:{ldap_dn=CN=ads.rullas,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com, ldap_groups=[CN=Domain Users,OU=Operations,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIO.SmartKeepAlive.HubViewers,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIO.SmartKeepAlive.Viewers,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=CIORDS.GW.Access,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=AZRSG.CIORDS.DEV.SQL.Access,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com, CN=ALMADMINDEV,OU=Groups,DC=ds,DC=dev,DC=accenture,DC=com]}; realm=active_directory}] to roles [[]]
[2019-12-27T06:50:49,386][DEBUG][o.e.x.s.a.l.LdapRealm ] [WMDjAWI] realm [active_directory] authenticated user [ads.rullas], with roles [[power_user, user]]
[2019-12-27T06:53:13,357][DEBUG][o.e.x.s.a.l.LdapRealm ] [WMDjAWI] realm [active_directory] authenticated user [ads.rullas], with roles [[power_user, user]]
When I do a curl on my linux box, I get below 403 error.
[ads.rullas@vw526474 config]$ curl -u ads.rullas "http://10.140.17.4:9200/"
Enter host password for user 'ads.rullas':
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [ads.rullas]"
tion","reason":"action [cluster:monitor/main] is unauthorized for user [ads.rullas]"},"status":403}
I am able to access the url only through the built in user "elastic" for which the password is set in bootstrap.password
[ads.rullas@vw526474 bin]$ ./elasticsearch-keystore list
bootstrap.password
keystore.seed
xpack.security.authc.realms.active_directory.secure_bind_password
xpack.security.http.ssl.keystore.secure_password
xpack.security.http.ssl.truststore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password
Not sure what I am missing in role_mapping.yml that is causing the issue. Kindly suggest.
Note : I only one have ES node and trying to integrate with AD for now.
Regards
Ram