LDAP Group members can't login in elasticsearch

Hi Elastic Team,

I think I'm missing something here. E456 uid can't login to elasticsearch even if it is a member of ou=people,ou=ec,o=world. But when using E123 uid, it is successful. E456 and E123 belongs to the same group btw.


   order: 0
   url: "ldaps://example.example.com:636"
           - "uid={0},ou=people,ou=ec,o=world"
           base_dn: "ou=people,ou=ec,o=world"
           role_mapping: "/etc/elasticsearch/role_mapping.yml"
   unmapped_groups_as_roles: false


        - "ou=people,ou=ec,o=world"
        - "uid=E123,ou=people,ou=ec,o=world"

Hope someone can help. Thank you!

You'll need share more information for any meaningful diagnosis, e.g. what is the exact error, (401 or 403?), server side trace or debug logs for the failure and success scenarios, exact how you entered the username for authenticating and perhaps the authenticate response from the successful user.

Hi Yang_Wang,

I'm getting this error when logging in as E456. But when logging is as E123, I'm directed to kibana web successfully.

I think this is likely a 403 authorization error. You can try add the E456 user to your role mapping file, e.g.:

  - "ou=people,ou=ec,o=world"
  - "uid=E123,ou=people,ou=ec,o=world"
  - "uid=E456,ou=people,ou=ec,o=world"

Yes, I actually did that and it is working. But what I planned to do is give access to mulitple members not only E123 and E456.

So like what I'm trying to do is give access to all members of that LDAP group without manually type all of them in role_mapping.yml

You should check what you get in the Authenticate API response. The user's ldap groups are listed in the metadata. My guess is that the groups do not match ou=people,ou=ec,o=world which is why the entry is not working.

Hi Yang Wang,

Still stuck. :frowning: But here's a new log in elasticsearch. You can see it is auth successful. But still having error like above screenshot.

[2022-10-17T14:23:58,629][DEBUG][o.e.x.s.a.RealmsAuthenticator] [host] Authentication of [E456] using realm [ldap/ldap01] with token [UsernamePasswordToken] was [AuthenticationResult{status=SUCCESS, value=User[username=E456,roles=[],fullName=null,email=null,metadata={ldap_dn=uid=E456,ou=people,ou=ec,o=world, ldap_groups=[]}], message=null, exception=null}]

Yeah the issue is with authorization (role mapping), not authencation. Based on the log message, it is clear that your E456 user does not have any ldap groups

Maybe this user does not have permission to perform group search. Or maybe you should search group in higher level, i.e. instead of

           base_dn: "ou=people,ou=ec,o=world"


           base_dn: "ou=ec,o=world"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.