X-Pack 5.2.1: Role mappings never get applied to LDAP groups

Elastic Stack Elasticsearch
1

I am trying to setup X-Pack 5.2.1 with LDAP. The users are able to be authenticated and its groups are retrieved, but the roles defined in role_mapping.yml never get applied to the user. I tried a simple test by adding all the groups associated with a user to the superuser role. I also double checked that the spelling of the groups in the elasticsearch.log output and role_mapping.yml is identical.

Is there something I am missing or is this a bug in X-Pack 5.2.1?
Any help is appreciated!

###Debug output from elasticsearch.log

[2017-02-22T23:54:40,499][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [RuChlI3] the roles [], are mapped from these [ldap] groups [[group_dn_1, group_dn_2,...,group_dn_n]] for realm [ldap/ldap1]
[2017-02-22T23:54:40,499][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [RuChlI3] the roles [], are mapped from the user [user_dn] for realm [ldap/ldap1]
[2017-02-22T23:54:41,954][DEBUG][o.e.x.s.a.l.LdapRealm ] [RuChlI3] authenticated user [user_cn], with roles []

###role_mapping.yml
superuser:
- group_dn_1
- group_dn_2
- ...
- group_dn_n

##elasticsearch.yml
xpack:
security:
audit:
enabled: true
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://ldap.company.net:389"
bind_dn: "bind_dn"
bind_password: "bind_password"
user_search:
base_dn: "base_dn"
attribute: CN
user_group_attribute: memberOf
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.xml"

2

I suspect the answer is somewhere in between.

For unfortunate historical reasons, if the role_mapping file doesn't exist, then elasticsearch starts up fine, but acts as if the role-mappings are empty, and doesn't provide much in the way of logging. :frowning2:

Double check that you've got the name of that file correct - I assume it should actually be .yml not .xml

3

Thanks Tim! Using the right path to role_mapping.yml did the trick!
It's unfortunate that elasticsearch doesn't complain about anything but hopefully this post can point some people in the right direction.

4

How did you get debug information?
"[2017-02-22T23:54:40,499][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [RuChlI3] the roles [[]], are mapped from these [ldap] groups [[group_dn_1, group_dn_2,...,group_dn_n]] for realm [ldap/ldap1]"

I have similar situation with version 5.2.2.
I can login to kibana, but I can not see superuser views.

[2017-03-08T10:13:21,587] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[my_account], action=[cluster:admin/xpack/security/user/authenticate], request=[AuthenticateReq
uest]
[2017-03-08T10:13:21,589] [transport] [access_denied] origin_type=[rest], origin_address=[127.0.0.1], principal=[my_account], action=[indices:data/read/search], indices=[.reporting-*], request=[SearchRequest
]

5

From the LDAP docs:

To help track down these possibilities, add the following lines to the end of the log4j2.properties configuration file in the CONFIG_DIR:

logger.authc.name = org.elasticsearch.xpack.security.authc
logger.authc.level = DEBUG

The Debian and RPM packages set the config directory location to /etc/elasticsearch/.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.