Is it possible to use an Active Directory realm for user authentication, and let the Native Realm do the user-to-role mapping in x-pack (5.0)?
Elastic created this nice Kibana interface for adding users and roles and mapping user to roles, however when we configured AD for authentication (which authenticates properly) it appears the role mapping we had previously done in the Native Realm (via the Kibana interface) is ignored and users have essentially no permissions.
We do not want to do any mapping of AD groups/domains/ou's to roles (via the role_mapping.yml file) as our corporate AD mapping is nowhere near as granular as we need to be at the Elastic level and we dont control our Corp. AD.
Not sure if we're missing something but it seems odd that Elastic developed the capability to manage users/roles via Kibana (basically making the Native Realm the "king") only to have it rendered moot if you decide on a different mechanism for the authentication of users. Also - our user ids for AD are the exact same as what we had built into Elasticsearch Native realm to begin with - so not sure why they aren't "matched".
Our Active Directory config is thus, with real domain and url detail xxx'd out:
xpack.security.authc.realms:
active_directory:
type: active_directory
order: 0
domain_name: xxxxx.ad.xxxxxxx.com
url: ldap://xxxx.xxxxxx.com:389
unmapped_groups_as_roles: false
This config works in that it allows us to authenticate and brings us to the default Kibana screen. From there we just get nothing when moving to other tabs or permission denied - even for a user that is in the "superuser" group in elasticsearch native realm.