I'm following up the previous topic User impersonation does not work with Active directory realm, as the lastest x-pack version 5.6.0 should support bind_dn parameter.
I tried to setup the user impersonation, but unfortunately it does not work, the system does not even try to contact AD-LDAP, giving immediately 403 error:
curl -u iis:secretpassword -H "es-security-runas-user: firstname.lastname@example.org" "localhost:19200/t/_search?pretty"
"type" : "security_exception", "reason" : "action [indices:data/read/search] is unauthorized for user [iis] run as [email@example.com]"
my realm config:
search_ad: enabled: true type: active_directory order: 2 domain_name: search.local user_search: base_dn: "DC=search,DC=local" group_search: base_dn: "DC=search,DC=local" url: ldap://dc.search.local:389 bind_dn: "CN=First Last,OU=Users,OU=Country,DC=search,DC=local" bind_password: "XXXXXXX" unmapped_groups_as_roles: true follow_referrals: false cache.ttl: 30s
The same configuration works fine for LDAP realm (that means, all users, roles, mapping are setup correctly).
What could be wrong with my configuration?