Issue Authenticating with Active Directory

nate.fleming · August 19, 2016, 5:54pm

I am working on configuring Shield for authentication and authorization and have run into some issues with the Active Directory integration. I have used ldapsearch as well as my own Java application which can authenticate with AD but it appears as though ES is not able to a authenticate using similar parameters. I had one of the AD admins sit with me and we noticed that my java application logs invalid logins when providing invalid credentials, however, although the ES logs show AD error codes that would indicate invalid credentials the request does not appear to be getting logged in the AD server logs. We also noticed that ldapsearch also wasn't logging invalid credentials but my app would (ldap search at least appeared to authenticate my user when providing a correct password) I have been testing the login using curl command as well as logging in through Kibana. There are some additional role configuration which I have added but I don't think I'm getting passed authentication.

elasticsearch.yaml

shield:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: "the hostname"
unmapped_groups_as_roles: true
native:
type: native
order: 1
file:
type: file
order: 2

I have turned logging up on shield.authc to TRACE but I'm not getting much insight as to what is going on.

Example exception from the cluster log.

[2016-08-19 13:45:00,148][DEBUG][shield.authc.activedirectory] [iot-prod-1] authentication failed for user [n325138@doit.state.in.us]
ElasticsearchSecurityException[unable to authenticate user [n325138@hostname] to active directory domain [gc.iot.in.gov]]; nested: LDAPException[80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580^@];
at org.elasticsearch.shield.support.Exceptions.authenticationError(Exceptions.java:33)

$> elasticsearch --version
Version: 2.3.4, Build: e455fd0/2016-06-30T11:24:31Z, JVM: 1.8.0_91

Shield Version
{
"status" : "enabled",
"name" : "iot-prod-1",
"cluster_name" : "iot-prod",
"version" : {
"number" : "2.3.4",
"build_hash" : "bd3199a84c10bda200ad31b1f72d1587738d77a1",
"build_timestamp" : "2016-07-05T12:39:55Z",
"build_snapshot" : false
},
"tagline" : "You Know, for Security"
}

jaymode · August 22, 2016, 11:04am

Hi Nate,

The exception indicates an authentication failure when a bind is attempted. Do you have multiple domains or are you just trying to authenticate against a single domain?

Jay

nate.fleming · August 22, 2016, 2:40pm

Thanks for the response Jay. There are many domains and at the moment we are using the global catalog as the entry point. After some experimentation I found that if that change the shield domain_name option to my specific domain than it will resolve using just my username. For example:

username@myhostname does not authenticate against the GC domain name
username@myhostname does not authenticate against myhostname (specific domain name)
username does not authenticate against the GC domain name
username DOES authenticate against myhostname (specific domain name)

jaymode · August 22, 2016, 2:57pm

That is a limitation of the active directory realm in Shield 2.3. Some workarounds would be to use multiple AD realms or to use a LDAP realm with a bind user that can search for the user in AD.

In X-Pack 5.0 (currently in alpha), we have added support for multi domain authentication with a single realm.

nate.fleming · August 22, 2016, 6:52pm

Thanks Jay,
We were able to get LDAP configured and working. What is the future role of xpack? Will it end up replacing Shield?