I have set up x-pack security and configured an Active Directory realm which is working fine for most of my users. I had an issue today whereby someone was not getting assigned any roles once they were authenticated.
I turned on debugging and noticed that the list of Active Directory groups that was being compared by the role mapping process only contained about half the groups that the user was actually a member of.
Could anyone advise if there is a limit on the number of groups returned by this process.
The DEBUG entry was:
[DEBUG][o.e.x.s.a.s.DnRoleMapper ] [Server] the roles [[default_index]], are mapped from these [active_directory] groups
DEBUG][o.e.x.s.a.s.DnRoleMapper ] [Server] the roles [[]], are mapped from the user [CN=LastName\, FirstName,OU=test,OU=Accounts,DC=domain,DC=com] for realm [active_directory/active_directory]
The user in question is a member of 115 Security Global Groups, the process has checked against only 103 and unfortunately the one I used in my role_mapping.yml file is not on the checked list.
Does this group exist in a different domain in the forest?
When running with debug logging there should be a log message group SID to DN [{}] search filter: [{}] that contains all of the SIDs returned by active directory. Can you check the number of SIDs in the filter?
This is very odd; the values from the filter are taken directly from the active directory tokenGroups attribute. Additionally, the default AD maximum page size is 1000, which means the most results in a single result would be 1000, but it doesn't appear that you're hitting this limit unless your AD has a value lower than the default.
Would you be willing to share the elasticsearch logs? If you do not feel comfortable sharing publicly, we can work out a way to share privately.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.