Hello, I’m working on setting up Ldap/AD auth. However, I’m not sure what I’m missing here. In terms of logging, I’m not seeing much of anything in Kibana or Elasticsearch at all. Mainly due to the logs getting clobbered by “not starting watcher, upgrade API run required: .watches [false], .triggered_watches[true]” secondary issue (working on it). I do know that my node can see the LDAP server. I have the proper binduser and password in place.
We have two user groups created in AD (admins and user) with admin tied to my member of and this seems to be setup correctly in my role_mapping.yml.
However, when I try to log in, all I’m getting is Invalid username or password. Please try again.
"version" : {
"number" : "7.9.1",
elasticsearch.yml
# ======================== Elasticsearch Configuration =========================
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
# ---------------------------------- Cluster -----------------------------------
# Use a descriptive name for your cluster:
cluster.name: elastic_int
# ------------------------------------ Node ------------------------------------
# Use a descriptive name for the node:
node.name: xyz
# Add custom attributes to the node:
node.attr.datacenter: xyz
# ----------------------------------- Paths ------------------------------------
# Path to directory where to store the data (separate multiple locations by comma):
path.data: /mnt/data
# Path to log files:
path.logs: /var/log/elasticsearch
# ----------------------------------- Memory -----------------------------------
# Lock the memory on startup:
# bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
# Elasticsearch performs poorly when the system is swapping the memory.
# ---------------------------------- Network -----------------------------------
# Set the bind address to a specific IP (IPv4 or IPv6):
network.host: 0.0.0.0
#http.port: 9200
#
# --------------------------------- Discovery ----------------------------------
discovery.seed_hosts: ["0.0.0.0","0.0.0.0","0.0.0.0"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#cluster.initial_master_nodes: ["node1"]
# ---------------------------------- Various -----------------------------------
#
# At this % disk usage, elasticsearch will mark all indices read-only (really delete-only)
cluster.routing.allocation.disk.watermark.low: 90%
cluster.routing.allocation.disk.watermark.high: 95%
cluster.routing.allocation.disk.watermark.flood_stage: 98%
xpack.monitoring.collection.enabled: true
xpack.monitoring.history.duration: 30d
xpack.security.enabled: true
#xpack.security.audit.enabled: true
#cluster ssl
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
#client ssl
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: x.x.p12
thread_pool.write.queue_size: 1000
indices.memory.index_buffer_size: 15%
#LDAP config
xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 0
url: "ldap://x.x.x.x"
bind_dn: "cn=binduser, ou=ds-service-accounts, dc=int, dc=tt, dc=local"
user_search:
base_dn: "dc=idx,dc=id,dc=local"
filter: "(cn={0})"
group_search:
base_dn: "dc=idx,dc=id,dc=local"
files:
role_mapping: "/etc/elasticsearch/role_mapping.yml"
unmapped_groups_as_roles: false
role_mapping.yml
role # Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names
#roleA: this is an elasticsearch role
# - groupA-DN this is a group distinguished name
# - groupB-DN
# - user1-DN this is the full user distinguished name
superuser:
- "cn=Kibana-Admins,ou=Applications-Group,ou=Groups,dc=idx,dc=id,dc=local"
user:
- "cn=Kibana-Users,ou=Applications-Group,ou=Groups,dc=idx,dc=id,dc=local"
# - "cn=admins,dc=example,dc=com"
# - "cn=John Doe,cn=other users,dc=example,dc=com"
elasticsearch]$ curl --user user:pw.. -X GET "http://x.x.x.x:9200?pretty" --verbose
* About to connect() to proxy xyz port 3128 (#0)
* Trying x.x.x.x...
* Connected xyz.net (0.0.0.0) port xyz (#0)
* Server auth using Basic with user 'bind_dn'
> GET http://0.0.0.0:9200/?pretty HTTP/1.1
> Authorization: Basic YmluZF9kbjpUdDEyMzQ1Njc4Li4=
> User-Agent: curl/7.29.0
> Host: x.x.x.x:9200
> Accept: */*
> Proxy-Connection: Keep-Alive