SOLVED: ES using AD Authentication crashes when logged in through Kibana

Hi,

I'm experiencing an interesting issue, whereby I have configured both native and active directory authentication to Elasticsearch - I can log in with both an AD user and a native user to Kibana and can view all data in all indexes with my two users - when I choose to open a dashboard however, the native user works fine but the AD user causes the elasticsearch process to hang which must be forcibly killed - I cannot connect to port 9200 and obviously Kibana does not pull out any data.

I have increased Heap memory to 2GB, but I can't work out why native user would behave as expected... Any help would be appreciated!

elasticsearch.yml details below (I have masked some company specific data):

network.host: 0.0.0.0
xpack:
security:
authc:
realms:
native1:
type: native
order: 0
active_directory:
type: active_directory
order: 1
domain_name: .
url: ldaps://..*:636
unmapped_groups_as_roles: true
ssl:
certificate_authorities: E:\Logstash\elasticsearch\config\x-pack*
.pem

EDIT: While writing this I found the problem: The setting unmapped_groups_as_roles: true in the elasticsearch.yml caused the problem. I don't know why this happened, but after setting it to false, everything works like expected.

This is the same issue as found by another user - I promise I searched for the issue in existing topics, but it was typical that the I found another thread 30 mins after posting my own (I even stole his edit - apologies and credit to nick.e Performance Issues and timeouts with Elasticsearch)

Nice to hear that you also could solve the problem.

Seems like this is a general problem which should be fixed somehow, because in some cases the unmapped_groups_as_roles parameter is useful.
Or maybe we're just using it wrong, I'm not sure.

Hi Nick

I think the difficulty is that the standard advice in the documentation is to set the value to "true" . nonetheless, thank you for solving my issue, everything is working nicely now, although it would be good to assign roles to AD users through the API as opposed to a mapping file...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.