Setting up Active Directory Authentication Realm in 6.3

bigdamhero · August 13, 2018, 12:18pm

I have realm settings in my elasticsearch.yml, elasticsearch is working without errors (so I think) as a single node.
I have the realms configured as follows:

xpack.security.authc.realms:
  realm1:
    type: native
    order: 0


  realm2:
    type: active_directory
    order: 1
    domain_name: domain.name
    url: ldaps://ad.ldap.server:636
    bind_dn: bind_dn, which works in another app.
    bind_password: thepassword
    ssl:
      certificate_authorities: [ "config/ldapcert/dhp-ldap-chain.pem" ]

: actual settings changed to protect the innocent

I am unsure how to verify that an ad/ldap login would work other than trying several things and then the only error I get is "Oops! Error. Try again." Any help would be appreciated. We are so close to getting our Platinum support set up, so I hope that will be the savior I need.

Thank you for your time and patience.

ikakavas · August 13, 2018, 12:44pm

Hi

You can try the _authenticate API , see here. For example, assuming you are testing on localhost and Elasticsearch is listening on 9200 (default port) you can try :

curl -uUSERNAME -X GET "http://localhost:9200/_xpack/security/_authenticate"

where USERNAME should be the sAMAccountName of the AD user you want to authenticate as. You should be prompted for the password and upon entering it you would either get a successful response or you can use the output/log file to get a glimpse as to what failed.

A couple of things:

We deprecated bind_password in 6.3 in favor of secure_bind_password ( see also here ), you might want to change to this after the rest of your issues have been resolved.

You can enable debug logging to get more insights as to what fails by adding

logger.authcldap.name = org.elasticsearch.xpack.security.authc.ldap
logger.authcldap.level = debug

in your log4j2.properties or setting a transient cluster setting with

curl -H "Content-Type: application/json" -XPUT -uelastic 'http://localhost:9200/_cluster/settings' -d'
{
  "transient" : {
      "logger.org.elasticsearch.xpack.security.authc.ldap" : "DEBUG"
   }
}'

bigdamhero · August 13, 2018, 1:00pm

bigdamhero · August 13, 2018, 1:18pm

I am trying to work through some of these commands. It looks like I cannot use localhost and the direct IP gives this error
:~$ curl -X GET "IPADDRESS:9200/_xpack"
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/_xpack]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication token for REST request [/_xpack]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}user@server1:~$

ikakavas · August 13, 2018, 1:26pm

You are missing the -uUSERNAME part where you actually pass the username for authenticating.

bigdamhero · August 13, 2018, 3:06pm

Thank you - I was trying to execute a more basic command without a username. I am checking now to see if we even have the sAMAccountName property set up on our AD. If that is NOT, then I am assuming I will need to look at the LDAP authentication setup in X-Pack.

ikakavas · August 13, 2018, 3:11pm

sAMAccountName property set up on our AD

This is not a property. It's an attribute in Active Directory and usually contains the username of a given user.

This is a good idea nevertheless. We will be here to assist, but you'd have to share a little more detail on how your AD is setup and the attributes that are available for your users.

bigdamhero · August 13, 2018, 3:14pm

I am trying to figure out the AD structure myself. I have a meeting with my security team soon to sort this out. Thanks.

bigdamhero · August 13, 2018, 6:23pm

Looks like I got it working. Now I just need to be able to add multiple LDAP Servers. What is the correct format for the load_ballance.type setting in the yml.

realm2:
type: active_directory
order: 1
domain_name: somead.company.com
load_balance.type:
dns_round_robin:
ldaps://machine1.somead.company.com:636
ldaps://machine2.somead.company.com:636
ldaps://machine3.somead.company.com:636
bind_dn: CN=working_bind DN
bind_password: password
ssl:
certificate_authorities: [ "path-to/cert.pem" ]

TimV · August 14, 2018, 3:51am

Sorry, the documentation isn't very clear here.

You want

realm2:
  type: active_directory
  order: 1
  url:
    - ldaps://machine1.somead.company.com:636
    - ldaps://machine2.somead.company.com:636
    - ldaps://machine3.somead.company.com:636
  load_balance.type: dns_round_robin
  # etc

bigdamhero · August 14, 2018, 12:35pm

I set this up, got an error, removed the "domain name:" setting. restarted and still have an error.

progne@dhpxtlmd1:~$ sudo systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2018-08-14 07:22:55 CDT; 4min 12s ago
Docs: http://www.elastic.co
Process: 1155 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet (
Main PID: 1155 (code=exited, status=1/FAILURE)

I cant seem to find a good mention of it in the java or app logs tho.

TimV · August 14, 2018, 1:05pm

You'll need to check the log file in /var/log/elasticsearch/

bigdamhero · August 14, 2018, 5:00pm

I'm not really noticing anything in that log, you meant the elasticsearch.log correct? I do see that resources are allocating to ML and I specifically have ML disabled in this Dev environment.

bigdamhero · August 14, 2018, 5:02pm

[2018-07-05T14:40:24,016][INFO ][o.e.t.TransportService   ] [FzZRGfk] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2018-07-05T14:40:27,102][INFO ][o.e.c.s.MasterService    ] [FzZRGfk] zen-disco-elected-as-master ([0] nodes joined)[, ], reason: new_master {FzZRGfk}{FzZRGfkPSWaCesnexez76Q}{6u1Ye9mdS0iiSb8I_Dyf4A}{127.0.0.1}{127.0.0.1:9300}{ml.machine_memory=4124766208, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}

The address seems to be wrong too? I do not have anything (that I know of) set to localhost.

bigdamhero · August 14, 2018, 7:29pm

Ok I can get it to work with

realm2:
type: active_directory
order: 1
domain_name: some.ad.comany.com
url:
- ldaps://machine1.somead.company.com:636

- ldaps://machine2.somead.company.com:636

- ldaps://machine3.somead.company.com:636

load_balance.type: dns_round_robin

etc

But there seems to be something wrong with the load_ballance variable still.
I have tried
load_balance:
type: dns_round_robin

AND
load_balance.type: dns_round_robin

Am I missing some detail? I have gone over the .yml protocol spacing a couple of times but maybe some error?

bigdamhero · August 14, 2018, 7:54pm

Figured it out....
dns_round_robin did not work.
round_robin is what I wanted.

system · September 11, 2018, 7:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fail to configure Xpack AD Realms Elasticsearch elastic-stack-security	16	1642	June 7, 2020
Enabling LDAP and authentication isssue Elasticsearch elastic-stack-security	13	3295	April 15, 2019
Active Directory Realm Authentication Issue Elasticsearch	2	881	March 15, 2018
Can't get AD ldap to work Elasticsearch elastic-stack-security	10	2119	October 19, 2020
Failing to connect X-pack to AD LDS (ldap) Elasticsearch	7	2590	January 8, 2018

Setting up Active Directory Authentication Realm in 6.3

- ldaps://machine2.somead.company.com:636

- ldaps://machine3.somead.company.com:636

load_balance.type: dns_round_robin

etc

Related Topics