{"statusCode":403,"error":"Forbidden","message":"Forbidden"}to open kibana with AD authentication

I am trying to login kibana by using Active Directory users.I am done with settings in elasticsearch.yml file and I am able to login kibana page by using Ad users but it shows the {"statusCode":403,"error":"Forbidden","message":"Forbidden"} error but can't open the kibana page.
Here is my configuration file elasticsearch.yml

xpack:
security:
authc:
realms:
active_directory:
my_ad:
order: 1
domain_name: sgpltech.com
url: ldap://sgplad.sgpltech.com:389
user_search:
base_dn: "dc=sgpltech,dc=com"
group_search:
base_dn: "dc=sgpltech,dc=com"
files:
role_mapping: "/etc/elasticsearch-7.4.0/config/role_mapping.yml"

and my role_mapping.yml file is

user:

  • "cn=Users,dc=sgpltech,dc=com"
  • "cn=hr086,cn=hr082,ou=Users,ou=SGPL-Production,dc=sgpltech,dc=com"

Please help me to fix this issue.
Thank you

"cn=Users,dc=sgpltech,dc=com" is most probably an Organizational Unit in your AD and not a group . Our role mapping works with groups only so you need to figure out what AD Security group your users will be under and set the DN for that group here.

User DN: CN=glpi admin,OU=Users,OU=SGPL-Production,DC=sgpltech,DC=com
this is the user DN for AD here group is SGPL-Production but still it shows same error

I modified my role_mapping.file as below:

user:

  • "cn=Users,ou=SGPL-Production,dc=sgpltech,dc=com"
  • "CN=hr086,OU=Users,OU=SGPL-Production,DC=sgpltech,DC=com"

Is there any thing I need to change ?

your role mapping needs to match a group DN or a user DN .Neither of the ones you use are either a group DN or a user DN. You need to change that.

I tried but still no luck. Can you send one example please.

I tried but still no luck.

What exactly did you try and how exactly did it fail ?

Can you send one example please

I don't know what example to give you, I have no clue how your AD structure looks like, what are the DNs of your users and of the security groups you have.

For a user that you want to login with AD, you need to figure out

a) What their DN is in AD . i.e CN=somethinghere,OU=Users,OU=SGPL-Production,DC=sgpltech,DC=com

OR

b) The DN of a group they belong to ,i.e. CN=somegroupname,OU=Groups,OU=SGPL-Production,DC=sgpltech,DC=com

NOTE: both the above are examples, you can't use them as-is, you need to figure out the correct values from your AD.

Then you either need to set

user:
- "CN=somethinghere,OU=Users,OU=SGPL-Production,DC=sgpltech,DC=com"

so only that user gets the user role

or

user:
- "CN=somegroupname,OU=Groups,OU=SGPL-Production,DC=sgpltech,DC=com"

so that all users that belong in that group in AD get that role.

Also note that you need to define the user role and make sure this gives access to the indices you want it to give, and you haven't mentioned if you have done that yet .

I would urge you to read the documentation that relates to security, i.e. start from : https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-cluster.html. The more you understand, the easier it will be for you to configure the environment in a secure way.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.