User impersonation does not work with Active directory realm, but it should

hi All,

I'm following up the previous topic User impersonation does not work with Active directory realm, as the lastest x-pack version 5.6.0 should support bind_dn parameter.

I tried to setup the user impersonation, but unfortunately it does not work, the system does not even try to contact AD-LDAP, giving immediately 403 error:

curl -u iis:secretpassword -H "es-security-runas-user: flast@domain.com" "localhost:19200/t/_search?pretty"

response:

  "type" : "security_exception",
  "reason" : "action [indices:data/read/search] is unauthorized for user [iis] run as [flast@domain.com]"

my realm config:

        search_ad:
          enabled: true
          type: active_directory
          order: 2
          domain_name: search.local
          user_search:
            base_dn: "DC=search,DC=local"
          group_search:
            base_dn: "DC=search,DC=local"
          url: ldap://dc.search.local:389
          bind_dn: "CN=First Last,OU=Users,OU=Country,DC=search,DC=local"
          bind_password: "XXXXXXX"
          unmapped_groups_as_roles: true
          follow_referrals: false
          cache.ttl: 30s

The same configuration works fine for LDAP realm (that means, all users, roles, mapping are setup correctly).
What could be wrong with my configuration?
Thank you!

What could be wrong with my configuration?

Unfortunately there is a small bug which prevents user impersonation from working with Active Directory in 5.6.0.
We hope to have a fix soon.

Thank you for confirming that!
I'm very keen to get it working as this would be a very useful feature.

5.6.1 - no improvement

5.6.2 - I can confirm - it is fixed!
SSO with AD works for Kibana now. Great stuff! Thank you very much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.