X-pack 5.4.1 Role mapping not getting applied on AD users

I am using ELK and x-pack 5.4.1 version. I am using AD authentication using x-pack. System is allowing me to login But getting this error.

Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user <user name error>"

I have defined roles in Kibana and Role mapping in "/config/x-pack/role_mapping.yml" file. These roles are not getting applied when login.

PFB the elasticsearch.yml configuration.

    xpack.security.audit.enabled: true
        type: active_directory
        order: 0
        domain_name: "<domain_name>"
        url: ldap://<ldaphost>:389
        unmapped_groups_as_roles: true
        #follow_referrals: false
         filter: "(&(objectClass=user)(sAMAccountName={0}))"
            role_mapping: "<Config Dir>/x-pack/role_mapping.yml"


  - "cn=<user name>,cn=Users,dc=<domain>,dc=com"

Access Logs:

[2017-07-06T12:21:44,998] [transport] [access_granted]  origin_type=[rest], origin_address=[<IP>], principal=[<user name>], action=[cluster:admin/xpack/security/user/authenticate], request=[AuthenticateRequest]
[2017-07-06T12:21:45,000] [transport] [access_denied]   origin_type=[rest], origin_address=[<IP>], principal=[<user name>], action=[indices:data/read/search], indices=[.reporting-*], request=[SearchRequest]

Any help appreciated. Thanks in advance.


There are 2 likely explanations:

  1. That the DN in your role_mapping.yml file is not the right match for your user.
  2. That the path to your role_mapping file is incorrect.

Because you've redacted those in your post, it's hard to tell whether either of those are the cause, but they're the most likely.

To diagnose #1, try to GET /_xpack/security/_authenticate?pretty as the user you're trying to map to superuser.
The result of that API will tell you the DN and groups that your user is in, you can then check that these are the same as you have entered in your role_mapping file.

To diagnose #2, check the elasticsearch logs.
Check for messages for the DnRoleMapper category, if there is a problem with your file it will be logged there.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.