Troubles with active directory user authentication

I have trial license Elasticsearch node, and i want to integrate it to use Active directory authentication
Here's snippet from my Elasticsearch.yml file

xpack:
  security:
    enabled: true
    transport:
      ssl:
        enabled: true
    authc:
      realms:
        active_directory:
          my_ad:
            order: 1
            domain_name: ad-1dc.com
            url: ldaps://ad-1dc.com:389, ldaps://ad-2dc.com:389, ldaps://ad-3dc.com:389
            ssl:
              certificate_authorities: ["/etc/elasticsearch/certnew.pem"]
            user_search:
              base_dn: "CN=elastic_group,OU=IT,DC=rogaikopita,DC=com"
            group_search:
              base_dn: "CN=elastic_group,OU=IT,DC=rogaikopita,DC=com"
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"
            load_balance:
              type: "round_robin"

but when i login to kibana using ad credentials, error appeared

[2021-10-27T12:33:21,584][WARN ][o.e.x.s.a.AuthenticationService] [elastic-01] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ad-1dc.com:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-1dc.com:389' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))

p.s i import to root ca /etc/Elasticsearch/certnew.pem to OS trusted certificates

What is this certificate (certnew.pem) ? How does it relate to your Active Directory servers?

This is root certificate from our Active directory

disable ssl and security and commented ssl block

xpack:
  security:
    enabled: false
    transport:
      ssl:
        enabled: false
    authc:
      realms:
        active_directory:
          my_ad:
            order: 1
            domain_name: ad-1dc.com
            url: ldaps://ad-1dc.com:389, ldaps://ad-2dc.com:389, ldaps://ad-3dc.com:389
#            ssl:
#              certificate_authorities: ["/etc/elasticsearch/certnew.pem"]
            user_search:
              base_dn: "CN=elastic_group,OU=IT,DC=rogaikopita,DC=com"
            group_search:
              base_dn: "CN=elastic_group,OU=IT,DC=rogaikopita,DC=com"
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"
            load_balance:
              type: "round_robin"

then restart Elasticsearch, but logs now is empty and kibana say that

That doesn't disable SSL.

All of your URLs are ldaps so they are still using SSL.

There are many possible causes for authentication failures in the Active Directory realm.
The most common are:

  1. Failure to connect to AD. If this is the case, then you should see a clear log message as you did in your first post
  2. Unlicensed realm. If you are running on a basic license, then AD will not work. The logs will indicate that the realm has been skipped due to licensing, but it can be easy to miss.
  3. Incorrect bind user/password. The AD realm can be configured with a shared bind_dn and password so that it can support looking up users indirectly (e.g. to support the ES "run as" feature, or "authorization_realms"). If this username or password is incorrect, all authentication will fail, even if users enter the correct password. This does not seem to be the case here, as you are not using bind_dn.
  4. Incorrect user password. This is the obvious one, but it's often true.
  5. Incorrect username or username-format. Active directory has a complex model of "username". There are different forms of username such as DOMAIN\\username and username@domain.com as well as just username, and there are 2 different concepts of username: userPrincipalName and sAMAccountName. Given that complexity, sometimes authentication can fail because the username is incorrect due to not matching one of the expected formats, or being entered in an incorrect way.
  6. Incorrect domain name. This is really a special case of (5). The domain name of the AD server is used when authenticating with a userPrincipalName and must match the domain that is used in the user records.

I suspect (6) might apply here.

you have

            domain_name: ad-1dc.com

which looks like a hostname not a windows domain name. I suspect your domain name should be rogaikopita.com since that is what is used in your base_dn.

Thanks a lot! got it to work using this config file

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: ad-1dc.com
            url: ldap://ad-1dc.com:389
            user_search:
              base_dn: "dc=rogaikopita,dc=com"
            group_search:
              base_dn: "dc=rogaikopita,dc=com"
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"

but now i have different problem, here's my role_mapping.yml file

# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names

#roleA:   this is an elasticsearch role
#  - groupA-DN  this is a group distinguished name
#  - groupB-DN
#  - user1-DN   this is the full user distinguished name

superuser:
  - "dc=rogaikopita,dc=com"
#user:
#  - "cn=devops,ou=it,dc=rogaikopita,dc=com"
#  - "cn=admins,dc=example,dc=com"
#  - "cn=John Doe,cn=other users,dc=example,dc=com"

so as you can see on the role_mapping.yml file i have superuser group which mapped to dc=rogaikopita,dc=com, but if i login to kibana using my AD account it doesn't work

The role mapping file only supports full Distinguished Names of users or groups. But dc=rogaikopita,dc=com (probably) isn't either of those - it's a tree.

You can use the role mapping API to match on a sub-tree, there's an example of that in the docs, but you can't do it via role mapping files.

What exactly are you trying to achieve here? Which set of users are supposed to get the superuser role?

got it! so i have 1 group of our devops engineers who can administrate Elasticsearch cluster, and i have 1 group of our developers who can only view logs in discover

sorry, I'm completely confused, now I'm using this configuration

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: rogaikopita.com
            url: ldap://rogaikopita.com:389
            user_search:
              base_dn: "dc=rogaikopita,dc=com"
            group_search:
              base_dn: "dc=rogaikopita,dc=com"
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"

and my role_mapping

 Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names

power_user:
  - "cn=elastictest,ou=it,dc=rogaikopita,dc=com"
user:
  - "cn=elastictest,ou=it,dc=rogaikopita,dc=com"
#  - "cn=admins,dc=example,dc=com"
#  - "cn=John Doe,cn=other users,dc=example,dc=com"

and when i try to log in through a domain account
elastictest@rogaikopita.com i am getting error

and in the Elasticsearch logs i have this error

[2021-10-29T20:44:39,188][WARN ][o.e.x.s.a.AuthenticationService] [elastic-01] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', ldapSDKVersion=4.0.8, revision=28812))

and on domain controller i have following log
MicrosoftTeams-image

but when i authenticate through LDAP it was okay

ldapsearch -x -h rogaikopita.com -D "[elastictest@rogaikopita.com](mailto:elastictest@rogaikopita.com)" -W
-b "ou=IT,dc=rogaikopita,dc=com"

изображение

@TimV

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.