{"statusCode":403,"error":"Forbidden","message":"Forbidden"}to open kibana with AD authentication

Jhansi · February 21, 2020, 9:56am

I am trying to login kibana by using Active Directory users.I am done with settings in elasticsearch.yml file and I am able to login kibana page by using Ad users but it shows the {"statusCode":403,"error":"Forbidden","message":"Forbidden"} error but can't open the kibana page.
Here is my configuration file elasticsearch.yml

xpack:
security:
authc:
realms:
active_directory:
my_ad:
order: 1
domain_name: sgpltech.com
url: ldap://sgplad.sgpltech.com:389
user_search:
base_dn: "dc=sgpltech,dc=com"
group_search:
base_dn: "dc=sgpltech,dc=com"
files:
role_mapping: "/etc/elasticsearch-7.4.0/config/role_mapping.yml"

and my role_mapping.yml file is

user:

"cn=Users,dc=sgpltech,dc=com"
"cn=hr086,cn=hr082,ou=Users,ou=SGPL-Production,dc=sgpltech,dc=com"

Please help me to fix this issue.
Thank you

ikakavas · February 21, 2020, 3:20pm

"cn=Users,dc=sgpltech,dc=com" is most probably an Organizational Unit in your AD and not a group . Our role mapping works with groups only so you need to figure out what AD Security group your users will be under and set the DN for that group here.

Jhansi · February 21, 2020, 3:41pm

User DN: CN=glpi admin,OU=Users,OU=SGPL-Production,DC=sgpltech,DC=com
this is the user DN for AD here group is SGPL-Production but still it shows same error

I modified my role_mapping.file as below:

user:

"cn=Users,ou=SGPL-Production,dc=sgpltech,dc=com"
"CN=hr086,OU=Users,OU=SGPL-Production,DC=sgpltech,DC=com"

Is there any thing I need to change ?

ikakavas · February 21, 2020, 6:46pm

your role mapping needs to match a group DN or a user DN .Neither of the ones you use are either a group DN or a user DN. You need to change that.

Jhansi · February 25, 2020, 12:34pm

I tried but still no luck. Can you send one example please.

ikakavas · February 25, 2020, 1:02pm

I tried but still no luck.

What exactly did you try and how exactly did it fail ?

Can you send one example please

I don't know what example to give you, I have no clue how your AD structure looks like, what are the DNs of your users and of the security groups you have.

For a user that you want to login with AD, you need to figure out

a) What their DN is in AD . i.e CN=somethinghere,OU=Users,OU=SGPL-Production,DC=sgpltech,DC=com

OR

b) The DN of a group they belong to ,i.e. CN=somegroupname,OU=Groups,OU=SGPL-Production,DC=sgpltech,DC=com

NOTE: both the above are examples, you can't use them as-is, you need to figure out the correct values from your AD.

Then you either need to set

user:
- "CN=somethinghere,OU=Users,OU=SGPL-Production,DC=sgpltech,DC=com"

so only that user gets the user role

or

user:
- "CN=somegroupname,OU=Groups,OU=SGPL-Production,DC=sgpltech,DC=com"

so that all users that belong in that group in AD get that role.

Also note that you need to define the user role and make sure this gives access to the indices you want it to give, and you haven't mentioned if you have done that yet .

I would urge you to read the documentation that relates to security, i.e. start from : Secure the Elastic Stack | Elasticsearch Guide [8.11] | Elastic. The more you understand, the easier it will be for you to configure the environment in a secure way.

system · March 24, 2020, 1:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authentication against Active Directory Elasticsearch	2	732	March 10, 2020
Can't setup active-directory auth Elasticsearch	1	490	July 27, 2020
[Elastic Stack 7.1] Built-In user authentication Kibana elastic-stack-security	5	351	September 11, 2019
Unable to Login as Active Directory User per Kibana (but API works) Kibana	3	526	April 27, 2020
Kibana + Elasticsearch add active directory Kibana elastic-stack-security	2	399	June 14, 2022

{"statusCode":403,"error":"Forbidden","message":"Forbidden"}to open kibana with AD authentication

Related topics