When asking questions, please provide the following information:
Search Guard and Elasticsearch version: search-guard-5
Installed and used enterprise modules, if any :
JVM version and operating system version: 1.8.0_141 on CentOS 7.4
Search Guard configuration files:
Elasticsearch log messages on debug level:
Other installed Elasticsearch or Kibana plugins, if any
We are doing a POC evaluation SearchGuard for authentication/Authorization against AD. We are currently stuck with this issue with SG not being able to do group based authorization.
We have ES and Kibana running 5.4.1 with SearchGuard installed and running fine. We have a couple of indices like atest and etest and we are trying to authorize 2 users to each of these index via an AD group and have been unsuccessful at it.
We have an user created atest and a group agroup, similarly etest and egroup, We are using agroup to assign atest index to the atest user. But when we do that we are seeing the following error in ES logs. We tried to setup debug but we did not get the correct documentation on how to setup the debug so we do not have the debug logs. Our config files look as following.
# bind_dn: CN=elk admin,OU=Users,OU=myOU,DC=myad,DC=com
sg_roles.yml I have the following group created
#Role for myorg
sg_roles_mapping.yml has the following.
When I login with auser who is part of the agroup, the following line is printed in the log, infact the same line is printed for the bindDN user when I run the sg_admin.
[2017-12-15T13:39:31,283][ERROR][c.f.s.a.BackendRegistry ] Problems retrieving roles for User [name=CN=auser,OU=Users,OU=myou,DC=myad,DC=com, roles=] from class com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend
I think the above error is not fetching the backend roles due to which the SG is not able to assign the correct rights. Any pointer on how to fix this issue.