Using Active Directory for authentication and Native Realm for role mapping


(Kevin Soucy) #1

Is it possible to use an Active Directory realm for user authentication, and let the Native Realm do the user-to-role mapping in x-pack (5.0)?
Elastic created this nice Kibana interface for adding users and roles and mapping user to roles, however when we configured AD for authentication (which authenticates properly) it appears the role mapping we had previously done in the Native Realm (via the Kibana interface) is ignored and users have essentially no permissions.
We do not want to do any mapping of AD groups/domains/ou's to roles (via the role_mapping.yml file) as our corporate AD mapping is nowhere near as granular as we need to be at the Elastic level and we dont control our Corp. AD.
Not sure if we're missing something but it seems odd that Elastic developed the capability to manage users/roles via Kibana (basically making the Native Realm the "king") only to have it rendered moot if you decide on a different mechanism for the authentication of users. Also - our user ids for AD are the exact same as what we had built into Elasticsearch Native realm to begin with - so not sure why they aren't "matched".

Our Active Directory config is thus, with real domain and url detail xxx'd out:

xpack.security.authc.realms:
active_directory:
type: active_directory
order: 0
domain_name: xxxxx.ad.xxxxxxx.com
url: ldap://xxxx.xxxxxx.com:389
unmapped_groups_as_roles: false

This config works in that it allows us to authenticate and brings us to the default Kibana screen. From there we just get nothing when moving to other tabs or permission denied - even for a user that is in the "superuser" group in elasticsearch native realm.


(Steve Kearns) #2

Hi Kevin,

This is a good question - and I'm afraid that the answer at the moment is no. We do have plans to add a user-role mapping API, which would do exactly what you're after, though we're still in the planning stages of this and don't have a target release or date to share just yet.

To give you just a bit of context as to why it doesn't "just work" - each realm handles authentication and also handles mapping users to roles. Separately, we have role stores that the various realms can use in when doing their role mapping. Today, AD and LDAP only support mapping users to groups via the security config files, and this is what we're planning to extend with an API.

I realize that this doesn't help you today, but hopefully it gives you an understanding of how we're thinking about the problem.

Thanks,
Steve


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.