I am trying to setup X-Pack 5.2.1 with LDAP. The users are able to be authenticated and its groups are retrieved, but the roles defined in role_mapping.yml never get applied to the user. I tried a simple test by adding all the groups associated with a user to the superuser role. I also double checked that the spelling of the groups in the elasticsearch.log output and role_mapping.yml is identical.
Is there something I am missing or is this a bug in X-Pack 5.2.1?
Any help is appreciated!
###Debug output from elasticsearch.log
[2017-02-22T23:54:40,499][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [RuChlI3] the roles [], are mapped from these [ldap] groups [[group_dn_1, group_dn_2,...,group_dn_n]] for realm [ldap/ldap1]
[2017-02-22T23:54:40,499][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [RuChlI3] the roles [], are mapped from the user [user_dn] for realm [ldap/ldap1]
[2017-02-22T23:54:41,954][DEBUG][o.e.x.s.a.l.LdapRealm ] [RuChlI3] authenticated user [user_cn], with roles []
For unfortunate historical reasons, if the role_mapping file doesn't exist, then elasticsearch starts up fine, but acts as if the role-mappings are empty, and doesn't provide much in the way of logging.
Double check that you've got the name of that file correct - I assume it should actually be .yml not .xml
Thanks Tim! Using the right path to role_mapping.yml did the trick!
It's unfortunate that elasticsearch doesn't complain about anything but hopefully this post can point some people in the right direction.
How did you get debug information?
"[2017-02-22T23:54:40,499][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [RuChlI3] the roles [[]], are mapped from these [ldap] groups [[group_dn_1, group_dn_2,...,group_dn_n]] for realm [ldap/ldap1]"
I have similar situation with version 5.2.2.
I can login to kibana, but I can not see superuser views.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
