I have successfully add a AD realm to elastic search and I'm able to login into kibana with an AD account but I'm having trouble with the group mappings.
I have created a group in kibana "its-admin" with all privileges. The same group is in AD and the user is a member of this group.
In elasticsearch.yml : unmapped_groups_as_roles: true
In role_mapping.yml (this is where i'm having trouble)
not really sure what to put here. I have tried this, but it doesn't appear to work.
I assume you actually mean "role" here (not trying to be picky, just making sure I understand where you've gotten to)
You probably don't want or need this. It's useful in a few cases, but most of the time you're much better off using the role-mapping file. "unmapped_groups_as_roles" only comes in to play if there's a reason why you can't keep your role mapping file updated when you add new groups in AD.
[quote]```
its-admin:
"cn=its-admin,dc=domain,dc=com"
That looks about right, but it obviously depends on exactly what you've setup in AD.
The simplest path for diagnosis is to turn on DEBUG logging for authentication and see how your roles are being resolved:
In the examples below I'm using curl with the `elastic` user. You can use a different user if you like (but they will need to have a security management privileges) and/or the kibana console.
1: Turn on logging:
2: [Clear the cache](https://www.elastic.co/guide/en/x-pack/current/security-api-clear-cache.html) for your AD realm
3: [Use the authenticate API](https://www.elastic.co/guide/en/x-pack/current/security-api-authenticate.html) to check your what roles your user is being given.
4: If the results of the authenticate API aren't what you expect, check `elasticsearch.log` for diagnostics. Look for log messages relating to `DnRoleMapper`
Those log messages will tell you what groups were found in AD, and then what Elasticsearch roles they were mapped to. That will help determine whether the problem is in pulling the groups from AD, or in mapping the AD groups to ES roles.
If the steps above don't solve the problem, post the log messages here, and also include the realm configuration from your `elasticsearch.yml` file.
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "current license is non-compliant for [security]",
"license.expired.feature" : "security"
}
],
"type" : "security_exception",
"reason" : "current license is non-compliant for [security]",
"license.expired.feature" : "security"
},
"status" : 403
}
So now I'm wondering if I need a special license for this to work.
Thanks for your help but i just installed the basic license and now I'm back to anonymous login.
So it doesn't matter now, as we were not planning on purchasing the full license.
X-Pack is a licensed product. When you first install/start your cluster with X-Pack you are granted a 30 day trial license.
If you are happy to do your testing with a fresh, empty cluster, then you can simply point Elasticsearch at an empty data/ directory, and it will generate a new trial license (e.g. you can delete or rename your existing data directory). This is effectively the same as if you installed a new copy of Elasticsearch, but we don't make you go through the trouble of downloading, installing, configuring from scratch.
There's more info about our subscriptions on the website, and there's space to contact someone about getting a paid license or to discuss extending your trail period.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.