Unable to use sAMA login account name for authentication

YuWatanabe · April 22, 2017, 9:33am

Hello.

I am trying to work out active directory authentication but looks like x-pack security fails to find the user name.

[2017-04-22T18:20:41,937][INFO ][o.e.x.s.a.l.LdapRealm    ] [development] authenticate failed for user [example\y-watanabe]: search for user [example\y-watanabe] by principle name yielded no results
[2017-04-22T18:20:48,315][INFO ][o.e.x.s.a.l.LdapRealm    ] [development] authenticate failed for user [example.com\y-watanabe]: 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580
[2017-04-22T18:22:54,610][INFO ][o.e.x.s.a.l.LdapRealm    ] [development] authenticate failed for user [example\\y-watanabe]: 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580

I have my AMA account configured fine like below.

Authentication works fine with UPN . Below is my elasticsearch.yml.

# AD authentication
xpack.security.authc.realms:
  active_directory:
    type: active_directory
    order: 0
    domain_name: ad.example.com
    url: ldap://ad.example.com:389
    user_search.base_dn: cn=Users,dc=example,dc=com
    group_search.base_dn: cn=Users,dc=example,dc=com
    unmapped_groups_as_roles: true
    follow_referrals: false
  native1:
    type: native
    order: 1

I am using x-pack 5.3.0 .

Am I missing any setting to use sAMAccountName ?

TimV · April 23, 2017, 11:59pm

The process of converting a legacy (NetBIOS) name into the necessary values for bind+search is fairly complex, so there's a few places it could go wrong. It's hard to tell whether your configuration is correct since you've redacted so many of the settings (which is fine, it's just harder to diagnose).

Please turn on TRACE logging for org.elasticsearch.xpack.security.authc.ldap.support, try and login, and then check for messages in the log file for "LdapUtils".
If you're uncomfortable posting the logs here, you can send me the details in a private message.

curl -XPUT 'localhost:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc.ldap.support": "TRACE"
  }
}
'

jaymode · April 25, 2017, 1:05pm

It looks like you are trying to use the down level login name and not just the sAMAccountName. What happens when you try using just y-watanbe? Also in your configuration you have the domain as ad.example.com but in your screenshot the domain is example.com; are you sure that your configuration is correct?

YuWatanabe · May 18, 2017, 8:32am

I was able to achieve this by setting sAMAccountName in user_search.attribute for LDAP realm

system · June 15, 2017, 8:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authentication settings for active directory: sAMAccountName instead of userPrincipalName Elasticsearch elastic-stack-security	3	1006	September 30, 2020
Can´t authenticate against Active Directory Elasticsearch elastic-stack-security	4	493	January 2, 2020
Configuring x-pack and active directory Elasticsearch	4	2071	March 23, 2018
Elasticsearch Active-Directory: Native User Authentication Failure Elasticsearch elastic-stack-security	3	543	August 11, 2020
Setting up Active Directory Authentication Realm in 6.3 Elasticsearch	16	1536	September 11, 2018

Unable to use sAMA login account name for authentication

Related topics