User impersonation does not work with Active directory realm, but it should


#1

hi All,

I'm following up the previous topic User impersonation does not work with Active directory realm, as the lastest x-pack version 5.6.0 should support bind_dn parameter.

I tried to setup the user impersonation, but unfortunately it does not work, the system does not even try to contact AD-LDAP, giving immediately 403 error:

curl -u iis:secretpassword -H "es-security-runas-user: flast@domain.com" "localhost:19200/t/_search?pretty"

response:

  "type" : "security_exception",
  "reason" : "action [indices:data/read/search] is unauthorized for user [iis] run as [flast@domain.com]"

my realm config:

        search_ad:
          enabled: true
          type: active_directory
          order: 2
          domain_name: search.local
          user_search:
            base_dn: "DC=search,DC=local"
          group_search:
            base_dn: "DC=search,DC=local"
          url: ldap://dc.search.local:389
          bind_dn: "CN=First Last,OU=Users,OU=Country,DC=search,DC=local"
          bind_password: "XXXXXXX"
          unmapped_groups_as_roles: true
          follow_referrals: false
          cache.ttl: 30s

The same configuration works fine for LDAP realm (that means, all users, roles, mapping are setup correctly).
What could be wrong with my configuration?
Thank you!


(Tim Vernum) #2

What could be wrong with my configuration?

Unfortunately there is a small bug which prevents user impersonation from working with Active Directory in 5.6.0.
We hope to have a fix soon.


#3

Thank you for confirming that!
I'm very keen to get it working as this would be a very useful feature.


#4

5.6.1 - no improvement :frowning:


#5

5.6.2 - I can confirm - it is fixed!
SSO with AD works for Kibana now. Great stuff! Thank you very much!


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.