Roles in role_mapping.yml not assigned to ad user


(Willemdh) #1

Hello,

I'm trying to get Active Directory authentication working with X-Pack. In /etc/elasticsearch/x-pack/role_mapping.yml I have defined a user and assigned it the monitoring_user and kibana_user roles:

monitoring_user:

  • "cn=myuser,ou=Personal,ou=User,dc=my,dc=domain"
    kibana_user:
  • "cn=myuser,ou=Personal,ou=Users,dc=my,dc=domain"

But when I log in Kibana, I get "You are not authorized to access Monitoring. To use Monitoring, you need the privileges granted by both the kibana_user and monitoring_user roles." error

So I added

logger.authc.name = org.elasticsearch.xpack.security.authc
logger.authc.level = DEBUG

in /etc/elasticsearch/log4j2.properties

And tailing the log shows me:

[2017-05-11T16:29:08,033][DEBUG][o.e.x.s.a.e.ReservedRealm] [elk01] user not found in cache, proceeding with normal authentication
[2017-05-11T16:29:08,033][DEBUG][o.e.x.s.a.l.LdapRealm ] [elk01] authenticated user [myuser], with roles [[]]

xpack:
  security:
    authc:
      realms:
        active_directory:
          type: active_directory
          order: 0
          domain_name: my.domain
          url: ldap://dc01.my.domain:389, ldap://dc02.my.domain:389
      load_balance:
        type: "round_robin"
      unmapped_groups_as_roles: false
      user_search.filter: "(&(objectClass=user)(sAMAccountName={0}))"
      files:
        role_mapping: /etc/elasticsearch/x-pack/role_mapping.yml
    native1:
      type: native
      order: 1
    file:
      type: file
      order: 2

So is there anyone who has an idea why the roles are not assigned to myuser?

Thanks.

Willem


(Tim Vernum) #2

This log appears to have been from a case where the LdapRealm (AD) was using cached data (*), so it doesn't give us enough information to diagnose the problem.

Try clearing the cache for the active_directory realm and then try again. There should be more detailed logging which we can use to work out what's going on for you.

(*) The message from the ReservedRealm is a little misleading. Each realm maintains its own cache, so the fact that the user isn't cached in the ReservedRealm is totally normal, and doesn't tell us whether the LdapRealm had cached the user data.


(Willemdh) #3

Thanks for your answer. So I cleared the active_directory cache as you suggested.

POST /_xpack/security/realm/active_directory/_clear_cache?pretty

Then I logged in again while tailing the /var/log/elasticsearch/myclustername.log logfile

[2017-05-12T11:16:17,161][DEBUG][o.e.x.s.a.e.ReservedRealm] [myclustername] user not found in cache, proceeding with normal authentication
[2017-05-12T11:16:17,161][DEBUG][o.e.x.s.a.l.LdapRealm    ] [myclustername] user not found in cache, proceeding with normal authentication
[2017-05-12T11:16:17,190][DEBUG][o.e.x.s.a.l.ActiveDirectorySessionFactory] [myclustername] group SID to DN [CN=MyUser Name,OU=myusernameou's] search filter: [(|(objectSid=S-1-5-32-545)(objectSid=S-1-5-21-171445296-392181855-1598175747-54962)(objectSid=S-1-5-21-171585296-392181855-1598175747-61874)(objectSid=S-1-5-21-171585296-392181855-1598144747-54704)(objectSid=S-1-5-21-171585296-392144855-1598175747-54828)(objectSid=S-1-5-21-171445296-392181855-1598175747-48304).....
[2017-05-12T11:16:17,254][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myclustername] the roles [[]], are mapped from these [active_directory] groups [[CN=Users,CN=Builtin

Then follows a big list of all the groups I'm in.

[2017-05-12T11:16:17,254][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myclustername] the roles [[]], are mapped from the user [CN=MyUser Name,OU=muusernameou's] for realm [active_directory/active_directory]
[2017-05-12T11:16:17,256][DEBUG][o.e.x.s.a.l.LdapRealm    ] [myclustername] authenticated user [myusername], with roles [[]]
[2017-05-12T11:16:17,525][DEBUG][o.e.x.s.a.e.ReservedRealm] [myclustername] user not found in cache, proceeding with normal authentication
[2017-05-12T11:16:17,525][DEBUG][o.e.x.s.a.l.LdapRealm    ] [myclustername] authenticated user [myusername], with roles [[]]
[2017-05-12T11:16:17,525][DEBUG][o.e.x.s.a.e.ReservedRealm] [myclustername] user not found in cache, proceeding with normal authentication
[2017-05-12T11:16:17,525][DEBUG][o.e.x.s.a.l.LdapRealm    ] [myclustername] authenticated user [myusername], with roles [[]]

So myusername still has no roles mapped. Not sure how to proceed now.

Willem


(Tim Vernum) #4

The first step is to double check that the DN that is logged inside the [ ... ] is exactly the same as the DN in your role-mapping file. Since the files you've posted here have been redacted, I can't tell whether it's correct - but this is the number 1 source of issues with role mapping.
I just notice that in your redacted version in your original post you have 2 different DNs listed:

  • cn=myuser,ou=Personal,ou=User,dc=my,dc=domain
  • cn=myuser,ou=Personal,ou=Users,dc=my,dc=domain

so, it's any easy mistake to make.

The next thing to look for is a message printed when the node starts up that says something like:

[o.e.x.s.a.s.DnRoleMapper ] [myclustername] NNN role mappings found in file [/etc/elasticsearch/x-pack/role_mapping.yml] for realm [active_directory/active_directory]

If that exists it will confirm that your file is being read successfully. The count should be the number of distinct DNs in your role-mapping. So if you are mapping exactly 1 user, then it should be a 1 even if that user has multiple roles.

If that log message doesn't exist, then it indicates that the role mapping is not being read. There may be some sort of warning message explaining why, but the details will depend on the version of Elasticsearch you are running, and the cause of the problem.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.