X-Pack Security 5.2.2 - Active Directory Global Group Limit?

I have set up x-pack security and configured an Active Directory realm which is working fine for most of my users. I had an issue today whereby someone was not getting assigned any roles once they were authenticated.

I turned on debugging and noticed that the list of Active Directory groups that was being compared by the role mapping process only contained about half the groups that the user was actually a member of.

Could anyone advise if there is a limit on the number of groups returned by this process.

The DEBUG entry was:

[DEBUG][o.e.x.s.a.s.DnRoleMapper ] [Server] the roles [[default_index]], are mapped from these [active_directory] groups

DEBUG][o.e.x.s.a.s.DnRoleMapper ] [Server] the roles [[]], are mapped from the user [CN=LastName\, FirstName,OU=test,OU=Accounts,DC=domain,DC=com] for realm [active_directory/active_directory]

Thanks in advance

How many groups are returned? Are the missing groups security groups?

Hi Jay

The user in question is a member of 115 Security Global Groups, the process has checked against only 103 and unfortunately the one I used in my role_mapping.yml file is not on the checked list.



Does this group exist in a different domain in the forest?

When running with debug logging there should be a log message group SID to DN [{}] search filter: [{}] that contains all of the SIDs returned by active directory. Can you check the number of SIDs in the filter?

The group is in the same domain as the user account.

The number of SIDs in the group SID to DN [{}] search filter: [{}] is different again as it returned 100 entries.

This is very odd; the values from the filter are taken directly from the active directory tokenGroups attribute. Additionally, the default AD maximum page size is 1000, which means the most results in a single result would be 1000, but it doesn't appear that you're hitting this limit unless your AD has a value lower than the default.

Would you be willing to share the elasticsearch logs? If you do not feel comfortable sharing publicly, we can work out a way to share privately.

Happy to share the logs in private

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.