User impersonation does not work with Active directory realm

Hi Elasticsearch team!

any news regarding the subject?
so, basically, this does not work with active directory realm (with LDAP realm works fine, but no nested groups support):

curl -H "es-security-runas-user: an_ad_user" -u iis -XGET 'http://localhost:9200/'

(iis is an internal user, with "run_as": ["*"])


P.S.: there is a couple of topics with the similar question:

No, the behaviour you describe has not changed in the latest releases of X-Pack and we have no announcements about any such changes.

As of right now, the AD realm requires the user's password in order to determine their groups (and consequently their roles) and the LDAP realm does not support nested groups.

Thank you for getting back to me.
So, it's not a bug it's a limitation. Sadly, that is not mentioned on the documentation, more over, there is a blog article, which is optimistically hinting at possibility of impersonation with AD... That's why I spent a whole day trying to configure the thing, which does not work by design.

Do you think, it could change in the future and the impersonation feature would work with AD as well?

Hi there,

I'm the product manager for X-Pack Security. I've added this feedback to my product feature data. I can't promise anything at this point, but I'll see what I can do.


1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.