Shield and Active Directory Integration

security

(Thomas Stefl) #1

I currently have an ES instance running and have been trying to integrate Shield access with my company's AD. At this point in time, Shield currently authenticates any user in our AD domain.

My question is: is it possible to limit Shield access based on an AD group?

I have been trying different iterations of group_search attribute (and others), however it does not seem to have an effect on who has access. (EX. Setting group_search base_dn to the full distinguished name of a "Developers" group, anyone in AD can still get through shield).

Just wondering if anyone has any success or run into similar issues integrating into an existing AD realm.

Thanks,


(Mark Walkom) #2

user_search.base_dn is the one you are after. Maybe if you post your config we can help.


(Jay Modi) #3

What is your role mapping like? Role mapping is a way to limit access with Shield and Active Directory, they may be able to authenticate but they will not be granted access to anything other than the '/' URI if they do not have any roles mapped. The roles are mapped based on group or user DN.

Also, like Mark said you could also limit the user search base DN to limit authentication to just users in a specific tree like an Organizational Unit.


(Thomas Stefl) #4

This was actually what I was missing. I must have either mis-typed or incorrectly formatted my config. I have tried user search in the past with different results than I am getting now, so I'll have to look at what else I might have tinkered with since. Thank you very much for your assistance and quick reply.


(Thomas Stefl) #5

I have spent some time with role mapping to configure our RBAC for the system. Using the group DNs for specific maps is also a great idea. Thank you for the help.


(system) #6