Local Login and Active Directory Login

I've recently activated gold licensing for our Elasticsearch 7.16.1 instance. I'm trying to implement Active Directory authentication. I've successfully added the needed configuration for Elasticsearch, but when I add an additional basic provider in the Kibana.yml, I get a fatal error that says you can't have more than one basic provider.

Is it possible to have local login accounts as well as AD integrated logins?

You only need one basic authentication provider in Kibana, it will work for all the password based realms.
Kibana doesn't care which realm checks the user's password.

I've got a role mapping setup that matches any user to allow certain accesses. When I try to login with an account that should match that rule, I get a "username or password is incorrect" error. How can I troubleshoot that things are working properly?

I get a "username or password is incorrect" error.

If you get that error, then it has nothing to do with role mappings - it means the user cannot authenticate.
Either you do have an incorrect username or password, or your realm is misconfigured and cannot authenticate any users.

You need to check your Elasticsearch logs.

doh...I was expecting to find it in Kibana for some weird reason.

So it didn't like my LDAP filter, saying it was invalid.

(&(objectClass=user)(sAMAccountName=*)(!((UserAccountControl:1.2.840.113556.1.4.803:=2))))

When I remove the UserAccountControl part, I get the error LDAPException(resultCode=4 (size limit exceeded). We have approximately 5k user objects, probably about 4k of which would potentially need access. How do I make this work?

user_search.filter
Specifies the filter used to search the directory in attempts to match >an entry with the username provided by the user. Defaults to (uid={0}). {0} is substituted with the username provided when searching.

You need {0} rather than * .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.