Trouble with AD group mappings

I have successfully add a AD realm to elastic search and I'm able to login into kibana with an AD account but I'm having trouble with the group mappings.

I have created a group in kibana "its-admin" with all privileges. The same group is in AD and the user is a member of this group.

In elasticsearch.yml : unmapped_groups_as_roles: true

In role_mapping.yml (this is where i'm having trouble)
not really sure what to put here. I have tried this, but it doesn't appear to work.

- "cn=its-admin,dc=domain,dc=com"

Not sure what I'm doing wrong.

I assume you actually mean "role" here (not trying to be picky, just making sure I understand where you've gotten to)

You probably don't want or need this. It's useful in a few cases, but most of the time you're much better off using the role-mapping file. "unmapped_groups_as_roles" only comes in to play if there's a reason why you can't keep your role mapping file updated when you add new groups in AD.


  • "cn=its-admin,dc=domain,dc=com"

That looks about right, but it obviously depends on exactly what you've setup in AD.

The simplest path for diagnosis is to turn on DEBUG logging for authentication and see how your roles are being resolved:

In the examples below I'm using curl with the `elastic` user. You can use a different user if you like (but they will need to have a security management privileges) and/or the kibana console. 

1: Turn on logging:  

curl -XPUT -uelastic 'localhost:9200/_cluster/settings' -d'
"transient" : {
"" : "DEBUG"

2:  [Clear the cache]( for your AD realm

3: [Use the authenticate API]( to check your what roles your user is being given.

4: If the results of the authenticate API aren't what you expect, check `elasticsearch.log` for diagnostics. Look for log messages relating to `DnRoleMapper`  
Those log messages will tell you what groups were found in AD, and then what Elasticsearch roles they were mapped to. That will help determine whether the problem is in pulling the groups from AD, or in mapping the AD groups to ES roles.

If the steps above don't solve the problem, post the log messages here, and also include the realm configuration from your `elasticsearch.yml` file.

Yes I did mean role in kibana.


  • "cn=its-admin,dc=domain,dc=com"

Is in the role_mapping.yml file. There is nothing else in the file.

I also tried a couple of the troubleshooting tools like the

curl -XGET -u elastic 'localhost:9200/_xpack/security/_authenticate?pretty'

but i get

"error" : {
"root_cause" : [
"type" : "security_exception",
"reason" : "current license is non-compliant for [security]",
"license.expired.feature" : "security"
"type" : "security_exception",
"reason" : "current license is non-compliant for [security]",
"license.expired.feature" : "security"
"status" : 403
So now I'm wondering if I need a special license for this to work.

Thanks for your help but i just installed the basic license and now I'm back to anonymous login.
So it doesn't matter now, as we were not planning on purchasing the full license.

Thanks again.

X-Pack is a licensed product. When you first install/start your cluster with X-Pack you are granted a 30 day trial license.

If you are happy to do your testing with a fresh, empty cluster, then you can simply point Elasticsearch at an empty data/ directory, and it will generate a new trial license (e.g. you can delete or rename your existing data directory). This is effectively the same as if you installed a new copy of Elasticsearch, but we don't make you go through the trouble of downloading, installing, configuring from scratch.

There's more info about our subscriptions on the website, and there's space to contact someone about getting a paid license or to discuss extending your trail period.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.