I am working on configuring Shield for authentication and authorization and have run into some issues with the Active Directory integration. I have used ldapsearch as well as my own Java application which can authenticate with AD but it appears as though ES is not able to a authenticate using similar parameters. I had one of the AD admins sit with me and we noticed that my java application logs invalid logins when providing invalid credentials, however, although the ES logs show AD error codes that would indicate invalid credentials the request does not appear to be getting logged in the AD server logs. We also noticed that ldapsearch also wasn't logging invalid credentials but my app would (ldap search at least appeared to authenticate my user when providing a correct password) I have been testing the login using curl command as well as logging in through Kibana. There are some additional role configuration which I have added but I don't think I'm getting passed authentication.
elasticsearch.yaml
shield:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: "the hostname"
unmapped_groups_as_roles: true
native:
type: native
order: 1
file:
type: file
order: 2
I have turned logging up on shield.authc to TRACE but I'm not getting much insight as to what is going on.
Example exception from the cluster log.
[2016-08-19 13:45:00,148][DEBUG][shield.authc.activedirectory] [iot-prod-1] authentication failed for user [n325138@doit.state.in.us]
ElasticsearchSecurityException[unable to authenticate user [n325138@hostname] to active directory domain [gc.iot.in.gov]]; nested: LDAPException[80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580^@];
at org.elasticsearch.shield.support.Exceptions.authenticationError(Exceptions.java:33)
$> elasticsearch --version
Version: 2.3.4, Build: e455fd0/2016-06-30T11:24:31Z, JVM: 1.8.0_91
Shield Version
{
"status" : "enabled",
"name" : "iot-prod-1",
"cluster_name" : "iot-prod",
"version" : {
"number" : "2.3.4",
"build_hash" : "bd3199a84c10bda200ad31b1f72d1587738d77a1",
"build_timestamp" : "2016-07-05T12:39:55Z",
"build_snapshot" : false
},
"tagline" : "You Know, for Security"
}