Unable to use sAMA login account name for authentication

YuWatanabe · April 22, 2017, 9:33am

Hello.

I am trying to work out active directory authentication but looks like x-pack security fails to find the user name.

[2017-04-22T18:20:41,937][INFO ][o.e.x.s.a.l.LdapRealm    ] [development] authenticate failed for user [example\y-watanabe]: search for user [example\y-watanabe] by principle name yielded no results
[2017-04-22T18:20:48,315][INFO ][o.e.x.s.a.l.LdapRealm    ] [development] authenticate failed for user [example.com\y-watanabe]: 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580
[2017-04-22T18:22:54,610][INFO ][o.e.x.s.a.l.LdapRealm    ] [development] authenticate failed for user [example\\y-watanabe]: 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580

I have my AMA account configured fine like below.

Authentication works fine with UPN . Below is my elasticsearch.yml.

# AD authentication
xpack.security.authc.realms:
  active_directory:
    type: active_directory
    order: 0
    domain_name: ad.example.com
    url: ldap://ad.example.com:389
    user_search.base_dn: cn=Users,dc=example,dc=com
    group_search.base_dn: cn=Users,dc=example,dc=com
    unmapped_groups_as_roles: true
    follow_referrals: false
  native1:
    type: native
    order: 1

I am using x-pack 5.3.0 .

Am I missing any setting to use sAMAccountName ?

TimV · April 23, 2017, 11:59pm

The process of converting a legacy (NetBIOS) name into the necessary values for bind+search is fairly complex, so there's a few places it could go wrong. It's hard to tell whether your configuration is correct since you've redacted so many of the settings (which is fine, it's just harder to diagnose).

Please turn on TRACE logging for org.elasticsearch.xpack.security.authc.ldap.support, try and login, and then check for messages in the log file for "LdapUtils".
If you're uncomfortable posting the logs here, you can send me the details in a private message.

curl -XPUT 'localhost:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc.ldap.support": "TRACE"
  }
}
'

jaymode · April 25, 2017, 1:05pm

It looks like you are trying to use the down level login name and not just the sAMAccountName. What happens when you try using just y-watanbe? Also in your configuration you have the domain as ad.example.com but in your screenshot the domain is example.com; are you sure that your configuration is correct?

YuWatanabe · May 18, 2017, 8:32am

I was able to achieve this by setting sAMAccountName in user_search.attribute for LDAP realm

system · June 15, 2017, 8:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.