Errors with authentication to Active Directory

rebirther · April 12, 2021, 6:05am

Hello!
Please help with this problem!
Objective: to implement login to KIbana through authentication in Active Directory.

Version Elasticsearch and Kibana: 7.12.0

elastisearch.yml:

node.name: node2
node.roles: [ master, ingest, ml ]

http.max_content_length: 200MB

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
path.repo: /opt/elastic/backups

network.host: 127.0.0.1
transport.host: ...

discovery.zen.ping.unicast.hosts: ...
discovery.zen.minimum_master_nodes: 2

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: config/certs/node2-cert.p12
xpack.security.transport.ssl.truststore.path: config/certs/elastic-stack-ca.p12

xpack:
  security:
    authc:
      realms:
        native:
          native1:
            order: 0
        active_directory:
          ad1:
            order: 1
            domain_name: DOMAIN
            url: ldap://domain.com:389
            user_search:
              base_dn: "cn=users,dc=domain,dc=com"
            group_search:
              base_dn: "cn=users,dc=domain,dc=com"
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"

role_mapping.yml

superuser:
   - "cn=users,dc=domain,dc=com"

Ldapsearch command successfully connects via ldap to Active Directory:
ldapsearch -x -LLL -h [domain.com](http://domain.com/) -D user_test@DOMAIN -w "password" -b"cn=users,dc=domain,dc=com" -s sub "(objectClass=user)"

I check it this test and it doesn't work:
curl -u user_test@DOMAIN http://localhost:9200/_cat/nodes?pretty

I am getting an error like this:
[2021-04-12T01:44:16,898][WARN ][o.e.x.s.a.AuthenticationService] [node2] Authentication to realm ad1 failed - authenticate failed (Caused by ElasticsearchSecurityException[search for user [user_test@DOMAIN] by principal name yielded no results])

Complete log is as follows:
[2021-04-12T01:44:16,897][TRACE][o.e.x.s.a.l.s.LdapUtils ] [node2] LDAP bind [SimpleBindRequest(dn='user_test@DOMAIN', controls={AuthorizationIdentityRequestControl(isCritical=false)})] succeeded for [LDAPConnection(connected to [domain.com:389](http://domain.com:389/))]
[2021-04-12T01:44:16,898][TRACE][o.e.x.s.a.l.s.LdapUtils ] [node2] LDAP Search SearchRequest(baseDN='cn=users,dc=domain,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=5, filter='(&(objectClass=user)(userPrincipalName=user_test@DOMAIN))', attrs={1.1}) => SearchResult(resultCode=0 (success), messageID=2, entriesReturned=0, referencesReturned=0) ([])
[2021-04-12T01:44:16,898][WARN ][o.e.x.s.a.AuthenticationService] [node2] Authentication to realm ad1 failed - authenticate failed (Caused by ElasticsearchSecurityException[search for user [user_test@DOMAIN] by principal name yielded no results])

TimV · April 12, 2021, 9:10am

It connects, but what search results does it return?
It your user_test included in it?

This:

Tells Elasticsearch that your users are nested under that DN. Is that the case?

If you're not sure you could try using ldapwhoami and see if that provides your full DN:

ldapwhoami -x -h domain.com -D user_test@DOMAIN -w "password"

rebirther · April 12, 2021, 2:13pm

Hello @TimV ! Thanks for your reply

Yes, user_test is on this list along with other users.

Command:

Returned an answer, like: u:DOMAIN\user_test

But back above, in answer ldapsearch command, I found a line like this:
dn:CN=Domain Admins,CN=Users,DC=domain,DC=com
This group Domain Admins includes my user_test.

I tried to substitute this dn in base_dn in elasticsearch.yml and also in role_mapping.yml file, but problem persists. The logs contain same errors.

system · May 10, 2021, 2:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.