There are several files involved:
The elasticsearch.yml holds the active directory configuration, for instance:
shield: enabled: true authc: realms: file: type: file order: 0 native: type: native order: 1 active_directory: type: active_directory order: 2 domain_name: ldap.cinhtau.net url: ldaps://ldap.cinhtau.net:636 unmapped_groups_as_roles: false group_search.base_dn: "OU=Security,DC=cinhtau,DC=net" ssl: keystore: path: /home/tan/omega.jks password: 8eAx89lJ7 truststore: path: /home/tan/trust.jks password: 7k-LDPsbZs8d
If you don’t use mutual SSL, the URL should result to
ldap://ldap.cinhtau.net:389. Replace ldap.cinhtau.net with your ldap hostname. Pay attention, that I use a three level security model, usually it is not necessary to set the order to zero. The roles.yml should contain your permissions for all indices and kibana 4. See below the role devops which is sufficient as kibana 4 user.
devops: cluster: - monitor indices: - names: '*' privileges: - view_index_metadata - read - names: '.kibana*' privileges: - manage - read - index
The role_mapping.yml should contain the group or user cn, mapped to role devops.
# Role mapping configuration file which has elasticsearch roles as keys # that map to one or more user or group distinguished names #roleA: this is an elasticsearch role # - groupA-DN this is a group distinguished name # - groupB-DN # - user1-DN this is the full user distinguished name power_user: - "CN=vinh,OU=Development,DC=cinhtau,DC=net" devops: - "CN=ApplicationEngineering,OU=Zuerich,OU=File Systems,OU=Security,OU=Control Groups,DC=cinhtau,DC=net"
Add the logger to the logging.yml in the logging section:
Doing auth you will similar log messages
[2016-08-12 09:11:46,530][DEBUG][shield.authc.activedirectory] [zh2-lb] user not found in cache, proceeding with normal authentication [2016-08-12 09:11:46,573][DEBUG][shield.authc.activedirectory] [zh2-lb] found these groups [[CN=..] [2016-08-12 09:11:46,577][DEBUG][shield.authc.activedirectory] [zh2-lb] authenticated user [vinh], with roles [[devops, power_user]]