X-pack and Active directory integration

Elastic Stack Elasticsearch
1

We are trying to integrate Elasticsearch and Kibana with Active directory for authentication.

we are able to see connectivity btw elasticsearch and AD.

we are trying to se roles.yml as

The default roles file is empty as the preferred method of defining roles is

through the API/UI. File based roles are useful in error scenarios when the

API based roles may not be available.

All cluster rights

All operations on all indices

admin:
cluster: all
indices:
'*': all

Monitoring cluster privileges

All operations on all indices

power_user:
cluster: monitor
indices:
'*': all

Only read operations on indices

user:
indices:
'*': read

Only read operations on indices named events_*

events_user:
indices:
'events_*': read

and

role_mapping.yml as

Role mapping configuration file which has elasticsearch roles as keys

that map to one or more user or group distinguished names

#roleA: this is an elasticsearch role

- groupA-DN this is a group distinguished name

- groupB-DN

- user1-DN this is the full user distinguished name

power_user:

  • "cn=user,cn=people,dc=company,dc=com"

superuser:

- "cn=users,dc=example,dc=com"

- "cn=admins,dc=example,dc=com"

  • "cn=user,cn=people,dc=company,dc=com"

we need to control authentication using AD and manage Roles in Elastic. any help is appreciated.

in elastic*.yml we have given

xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: company.com
url: ldap://company.com:389
unmapped_groups_as_roles: true

2

Hi Aditya,

You can definitely define roles in roles.yml file (file realm) or through the API (Native realm). You can map the roles via the role_mapping.yml. I am a bit unclear as what issues you are facing.

Are you saying you would like to manage file based roles via the UI?

Regards

Sherry

3

Hi Sherry,

I want to set up authorization and authentication using active dir I did some config but I am not able to use it properly when I go to localhost:9200 I do get prompt for user is and password and if I give wrong password it does not go further but when I give correct password I get 403. I need to setup user and there role using AD.

Regards
Aditya

4

@Sherry_Ger i have X-pack installed.

Regards
Aditya

5

I get

{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [90008322]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [90008322]"},"status":403}

when accessing local:9200

even though i added like this in my role mapping yml

Role mapping configuration file which has elasticsearch roles as keys

that map to one or more user or group distinguished names

#roleA: this is an elasticsearch role

- groupA-DN this is a group distinguished name

- groupB-DN

- user1-DN this is the full user distinguished name

power_user:

  • "uid=user,cn=user,ou=people,dc=company,dc=com"

superuser:

- "cn=users,dc=example,dc=com"

- "cn=admins,dc=example,dc=com"

  • "uid=user,cn=user,ou=people,dc=company,dc=com"
6

I found the issue i was giving wrong CN in DN.

Thanks everyone