Unable to assign roles to groups in active directory using elasticsearch

GoodDay,
I have Finance group in my active directory and I want to assign roles to the Finance group so that all users present in the Finance group are assigned same role.
Below is my role_mapping.yml configuration
Finance:

  • "OU=finance,OU=Elastic_Users,DC=ELASTIC,DC=Testing,DC=COM"

Hi

You will need to provide some more information before anyone can provide some meaningful help. It usually helps if you

  • State exactly what you want to achieve
  • Provide your current configuration
  • Explain the behavior your are seeing
  • Provide some errors you get or describe how the behavior you are seeing doesn't match the behavior you expect.

Also please use the </> button or ``` to format your configuration snippets. Especially yaml which is prone to spacing errors and formatting mistakes.

Assuming that your config is actually

Finance:
  - "OU=finance,OU=Elastic_Users,DC=ELASTIC,DC=Testing,DC=COM"

the problem seems to be that you are trying to use an Organizational Unit (OU) for the role mapping, but you should be using a Group DN.

1 Like

Thanks for your reply,
I want to assign roles to Finance OU so that all users present under finance gets the same role.


Below is my elastic log

I am getting unauthorised user error.
Please help i have no idea about assigning roles to groups or OU.

Please don't post images of text as they are hard to read, may not display correctly for everyone, and not searchable.

Instead paste the text and format it with </> icon, and check the preview
window to make sure it's properly formatted before posting it. This makes it
more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

Please help i have no idea about assigning roles to groups or OU.

You can start by reading our documentation for role mapping: https://www.elastic.co/guide/en/elasticsearch/reference/6.7/security-api-put-role-mapping.html and https://www.elastic.co/guide/en/elastic-stack-overview/6.7/mapping-roles.html

It is really hard to explain the difference between LDAP group and organizational unit without going in too much detail here and slightly out of scope for these forums but there are enough sources available such as ldapwiki.com maybe some AD specific sources: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc758565(v=ws.10) and https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739393(v%3Dws.10)

When you try to configure a role mapping based on an the group membership in AD, you need to specify the DN of the group as the value. What you have currently specified, is an Organizational Unit which is not the same thing.

Hope this helps

1 Like

Thank You so much for your help . I was trying to assign roles to OU in the active directory which was a wrong approach . We can assign roles to groups or users in active directory . i.e CN

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.