Setting up Active Directory Authentication Realm in 6.3

I have realm settings in my elasticsearch.yml, elasticsearch is working without errors (so I think) as a single node.
I have the realms configured as follows:

xpack.security.authc.realms:
  realm1:
    type: native
    order: 0


  realm2:
    type: active_directory
    order: 1
    domain_name: domain.name
    url: ldaps://ad.ldap.server:636
    bind_dn: bind_dn, which works in another app.
    bind_password: thepassword
    ssl:
      certificate_authorities: [ "config/ldapcert/dhp-ldap-chain.pem" ]

: actual settings changed to protect the innocent

I am unsure how to verify that an ad/ldap login would work other than trying several things and then the only error I get is "Oops! Error. Try again." Any help would be appreciated. We are so close to getting our Platinum support set up, so I hope that will be the savior I need.

Thank you for your time and patience.

Hi

You can try the _authenticate API , see here. For example, assuming you are testing on localhost and Elasticsearch is listening on 9200 (default port) you can try :

curl -uUSERNAME -X GET "http://localhost:9200/_xpack/security/_authenticate"

where USERNAME should be the sAMAccountName of the AD user you want to authenticate as. You should be prompted for the password and upon entering it you would either get a successful response or you can use the output/log file to get a glimpse as to what failed.

A couple of things:

  • We deprecated bind_password in 6.3 in favor of secure_bind_password ( see also here ), you might want to change to this after the rest of your issues have been resolved.
  • You can enable debug logging to get more insights as to what fails by adding
    logger.authcldap.name = org.elasticsearch.xpack.security.authc.ldap
    logger.authcldap.level = debug
    
    in your log4j2.properties or setting a transient cluster setting with
    curl -H "Content-Type: application/json" -XPUT -uelastic 'http://localhost:9200/_cluster/settings' -d'
    {
      "transient" : {
          "logger.org.elasticsearch.xpack.security.authc.ldap" : "DEBUG"
       }
    }'
    

:grinning::grinning:

I am trying to work through some of these commands. It looks like I cannot use localhost and the direct IP gives this error
:~$ curl -X GET "IPADDRESS:9200/_xpack"
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/_xpack]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication token for REST request [/_xpack]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}user@server1:~$

You are missing the -uUSERNAME part where you actually pass the username for authenticating.

Thank you - I was trying to execute a more basic command without a username. I am checking now to see if we even have the sAMAccountName property set up on our AD. If that is NOT, then I am assuming I will need to look at the LDAP authentication setup in X-Pack.

sAMAccountName property set up on our AD

This is not a property. It's an attribute in Active Directory and usually contains the username of a given user.

This is a good idea nevertheless. We will be here to assist, but you'd have to share a little more detail on how your AD is setup and the attributes that are available for your users.

I am trying to figure out the AD structure myself. I have a meeting with my security team soon to sort this out. Thanks.

1 Like

Looks like I got it working. Now I just need to be able to add multiple LDAP Servers. What is the correct format for the load_ballance.type setting in the yml.

realm2:
type: active_directory
order: 1
domain_name: somead.company.com
load_balance.type:
dns_round_robin:
ldaps://machine1.somead.company.com:636
ldaps://machine2.somead.company.com:636
ldaps://machine3.somead.company.com:636
bind_dn: CN=working_bind DN
bind_password: password
ssl:
certificate_authorities: [ "path-to/cert.pem" ]

Sorry, the documentation isn't very clear here.

You want

realm2:
  type: active_directory
  order: 1
  url:
    - ldaps://machine1.somead.company.com:636
    - ldaps://machine2.somead.company.com:636
    - ldaps://machine3.somead.company.com:636
  load_balance.type: dns_round_robin
  # etc

I set this up, got an error, removed the "domain name:" setting. restarted and still have an error.

progne@dhpxtlmd1:~$ sudo systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2018-08-14 07:22:55 CDT; 4min 12s ago
Docs: http://www.elastic.co
Process: 1155 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet (
Main PID: 1155 (code=exited, status=1/FAILURE)

I cant seem to find a good mention of it in the java or app logs tho.

You'll need to check the log file in /var/log/elasticsearch/

I'm not really noticing anything in that log, you meant the elasticsearch.log correct? I do see that resources are allocating to ML and I specifically have ML disabled in this Dev environment.

[2018-07-05T14:40:24,016][INFO ][o.e.t.TransportService   ] [FzZRGfk] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2018-07-05T14:40:27,102][INFO ][o.e.c.s.MasterService    ] [FzZRGfk] zen-disco-elected-as-master ([0] nodes joined)[, ], reason: new_master {FzZRGfk}{FzZRGfkPSWaCesnexez76Q}{6u1Ye9mdS0iiSb8I_Dyf4A}{127.0.0.1}{127.0.0.1:9300}{ml.machine_memory=4124766208, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}

The address seems to be wrong too? I do not have anything (that I know of) set to localhost.

Ok I can get it to work with

realm2:
type: active_directory
order: 1
domain_name: some.ad.comany.com
url:
- ldaps://machine1.somead.company.com:636

- ldaps://machine2.somead.company.com:636

- ldaps://machine3.somead.company.com:636

load_balance.type: dns_round_robin

etc

But there seems to be something wrong with the load_ballance variable still.
I have tried
load_balance:
type: dns_round_robin

AND
load_balance.type: dns_round_robin

Am I missing some detail? I have gone over the .yml protocol spacing a couple of times but maybe some error?

Figured it out....
dns_round_robin did not work.
round_robin is what I wanted.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.