This topic describes how to configure Lightweight Directory Access Protocol (LDAP) authentication for Alibaba Cloud Elasticsearch to allow LDAP users with the required roles to access Alibaba Cloud Elasticsearch.

Precautions

Since October 2020, the network architecture of Alibaba Cloud Elasticsearch in different regions has been adjusted. The adjustment has the following impacts on clusters:

  • Clusters that are created before October 2020 are deployed in the original network architecture. In this architecture, clusters are deployed in the VPCs that are created by users. If you want to access a cluster that is deployed in the original network architecture over the Internet, you can use an ECS instance that is configured with SNAT or use an NGINX proxy to forward requests.
  • Alibaba Cloud Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. If you want to perform LDAP authentication in an Elasticsearch cluster that is created in October 2020 or later, you must use the PrivateLink service to establish private connections between VPCs. For more information, see Configure a private connection for an Elasticsearch cluster. If you want a cluster that is deployed in the new network architecture to access the Internet, configure an NGINX proxy to forward requests.
  • In the original network architecture, only single-zone Elasticsearch clusters support LDAP authentication. In the new network architecture, both single-zone and multi-zone Elasticsearch clusters support LDAP authentication if you use the PrivateLink service.

Prerequisites

  • An Alibaba Cloud Elasticsearch cluster is created. In this topic, a V6.7.0 cluster is used.

    For more information, see Create an Alibaba Cloud Elasticsearch cluster.

  • A private connection is configured for the Elasticsearch cluster if the cluster is deployed in the new network architecture. To configure a private connection for an Elasticsearch cluster, perform the following steps:
    1. Create a Classic Load Balancer (CLB) instance that supports the PrivateLink service and resides in the same VPC as the Elasticsearch cluster. For more information, see Step 1: Create a CLB instance that supports PrivateLink.
    2. Configure the CLB instance. For more information, see Step 2: Configure the CLB instance.
      Note You must add the Elastic Compute Service (ECS) instance for which LDAP is configured to the CLB instance as a backend server. In this topic, port 389 is used as the listening port.
    3. Create an endpoint service. For more information, see Step 3: Create an endpoint service.
    4. Configure a private connection to the Elasticsearch cluster. For more information, see Step 4: Configure a private connection to the Elasticsearch cluster.
    5. Obtain the domain name of the endpoint that is used to access the endpoint service. For more information, see View the domain name of an endpoint.
  • The LDAP service is activated in the VPC where the Elasticsearch cluster resides. In this topic, OpenLDAP 2.4.44 is used.
  • The LDAP environment and user data are prepared.

    For more information, see Official LDAP documentation.

Configure LDAP authentication

You can use X-Pack to configure LDAP authentication in the following modes:
  • User search mode
  • Distinguished name (DN) template-based mode

The user search mode is commonly used. In user search mode, a user who has permissions to query the LDAP directory is used to search for the DN of a user who you want to authenticate. The search is performed based on the username and LDAP attribute that are provided by X-Pack. After the DN of the user is found, X-Pack attempts to bind the user to the LDAP directory by using the DN and the related password to authenticate the user. For more information, see Configure an LDAP realm.

The following sample code provides the mapping configurations that are required by LDAP to manage a DN. You must add the configurations to the YML file of the Elasticsearch cluster.

xpack.security.authc.realms.ldap1.type: ldap
xpack.security.authc.realms.ldap1.order: 0
xpack.security.authc.realms.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389"
xpack.security.authc.realms.ldap1.bind_dn: "cn=zhang lei,ou=support,dc=yaobili,dc=com"
xpack.security.authc.realms.ldap1.bind_password: 123456
xpack.security.authc.realms.ldap1.user_search.base_dn: "ou=support,dc=yaobili,dc=com"
xpack.security.authc.realms.ldap1.user_search.filter: "(cn={0})"
xpack.security.authc.realms.ldap1.group_search.base_dn: "ou=support,dc=yaobili,dc=com"
xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false
Parameter Description
type The type of the realm. You must set this parameter to ldap.
url The URL and port number that are used to connect to the LDAP server. ldap indicates that a common connection and port 389 are used. ldaps indicates that an SSL-encrypted connection and port 636 are used.
Note If your Elasticsearch cluster is deployed in the new network architecture, you must specify this parameter in the format of Domain name of the endpoint:Port number. In this example, ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389 is used.
bind_dn The DN of the user who you want to search for and bind to the LDAP directory. This parameter is valid only in user search mode.
bind_password The password of the user.
user_search.base_dn The container DN that is used to search for the user.
group_search.base_dn The container DN that is used to search for the group to which the user belongs. If you do not specify this parameter, Elasticsearch searches for the attribute that is specified by the user_group_attribute parameter to determine the group to which the user belongs.
unmapped_groups_as_roles The default value of this parameter is false. If you set this parameter to true, the names of unmapped LDAP groups are used as role names.

After you add the preceding configurations, click OK to restart the cluster. For more information about the parameters, see Security settings in Elasticsearch.

Map roles to realm accounts

Run the following command to map an administrator role to the zhang* account:
POST _xpack/security/role_mapping/ldap_super_user1?pretty
{
  "roles": [ "superuser" ],
  "enabled": true,
  "rules": {
    "any": [
      {
        "field": {
          "username": "zhang*"
        }
      }
    ]
  }
}

Verify results

Log on to the Kibana console of the Elasticsearch cluster by using the zhang lei account to which the required role is mapped. Log on to the Kibana console
Run the following command:
PUT _cluster/settings
{
  "persistent": {
    "action.auto_create_index": true
  }
}
If the result shown in the following figure is returned, the account has the required permissions. Command output