Configuring x-pack and active directory


#1

Hey,

I am trying to configure x-pack and elasticsearch to authenticate through an Active Directory.
i feel like i am missing something in my configuration.
running Centos 7 with elasticsearch 6.1.3
i added that to my elasticsearch.yml:

#------------------------------------x-pack-----------------------------------
xpack:
  security:
    authc:
      realms:
       active_directory:
        type: active_directory
        order: 0
        domain_name: lab.proj.lan
        url: ldap://192.168.0.1:389
        bind_dn: CN=bindaccount,CN=Users,DC=lab,DC=proj,DC=lan
        bind_password: ********

and i added this to my role_mapping.yml

monitor:
   - "CN=Utilisateurs du domaine,CN=Users,DC=lab,DC=proj,DC=lan"

So when i go to localhost:9200 i get a login/password popup. is that normal ?

if i cancel i get the following:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "missing authentication token for REST request [/?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "missing authentication token for REST request [/?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status" : 401
}

and if i login with the Active directory account( same as in Configuration)

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [cluster:monitor/main] is unauthorized for user [bindaccount]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [cluster:monitor/main] is unauthorized for user [bindaccount]"
  },
  "status" : 403
}

anyone can help ?


(Lee Drengenberg) #2

From that last error it looks like you did authenticate but your user either isn't associated with any roles or isn't associated with a role that has the privileges described in that error. Initially I would associate your user with the superuser role just to verify you have the integration working.

I don't have much hands-on experience with the AD integration. I'm sure you're going through this;
https://www.elastic.co/guide/en/x-pack/current/active-directory-realm.html

If you're still stuck I can try to help you again tomorrow.

Regards,
Lee


(Tim Vernum) #3

As @LeeDr has said, this looks like either:

  1. A role mapping problem (your users aren't getting the roles you want); or
  2. A role definition problem (your roles don't grant the right privileges)

The first step to working out which of this is the problem, is to use the Authenticate API.

When you access that endpoint it will show you 2 things:

  1. Your list of roles
  2. Your LDAP metadata (DN, groups, etc).

If the roles list matches what you expect, then you will need to go and look at the definition of those roles and see what it's causing a problem.

If the roles list is not what you expect, check the metadata against your role mappings. Does Elasticsearch think that your user is in the groups that you expect to see? etc.


#4

thank you both for your reply you are right i was not understanding the role pretty well i re-read the documentation knew how to assign roles saw them in kibana( which i first was not working correctly had to re-install the x-pack plugin twice).

keep up the good work.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.