We are trying to config LDAP on elastic to enable LDAP authentication on Kibana, following this guide:https://www.elastic.co/guide/en/elasticsearch/reference/current/ldap-realm.html
See my current config bellow also. Thanks
After make our configuration we are getting the bellow error:
com.unboundid.ldap.sdk.LDAPException: 0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8349, best match of:
'(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=itt_admin,OU=devcentral,OU=appgroups,OU=accessmgmnt,DC=ers,DC=company,DC=com)))'
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.toException(LdapUtils.java:407) ~[x-pack-security-7.9.0.jar:7.9.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.access$200(LdapUtils.java:53) ~[x-pack-security-7.9.0.jar:7.9.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$LdapSearchResultListener.searchResultReceived(LdapUtils.java:514) [x-pack-security-7.9.0.jar:7.9.0]
at com.unboundid.ldap.sdk.AsyncSearchHelper.responseReceived(AsyncSearchHelper.java:245) [unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionReader.run(LDAPConnectionReader.java:516) [unboundid-ldapsdk-4.0.8.jar:4.0.8] Preformatted text`
elacticsearch.yml:
xpack.security.enabled: true
xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 0
url: "ldaps://ldap-bb.ers.company.com:636"
bind_dn: "cn=crowdapp,ou=serviceaccounts,ou=accounts,ou=accessmgmnt,dc=ers,dc=company,dc=com"
user_search:
base_dn: "OU=accessmgmnt,DC=ers,DC=equifax,DC=com"
filter: "(cn={0})"
group_search:
base_dn: "(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=itt_admin,OU=devcentral,OU=appgroups,OU=accessmgmnt,DC=ers,DC=company,DC=com)))"
files:
role_mapping: "/opt/elk/elasticsearch/role_mapping.yml"
unmapped_groups_as_roles: false
role_mapping.yml:
#roleA: this is an elasticsearch role
# - groupA-DN this is a group distinguished name
# - groupB-DN
# - user1-DN this is the full user distinguished name
superuser:
- "cn=rxv112,ou=useraccounts,ou=accounts,dc=ers,dc=company,dc=com"
#
user:
- "CN=itt_admin,OU=devcentral,OU=appgroups,OU=accessmgmnt,DC=ers,DC=company,DC=com"
# - "cn=John Doe,cn=other users,dc=example,dc=com"