This topic describes how to configure Lightweight Directory Access Protocol (LDAP) for Alibaba Cloud Elasticsearch. This allows you to access Alibaba Cloud Elasticsearch by using LDAP with assigned roles.

Prerequisites

You have completed the following operations:

  • An Alibaba Cloud Elasticsearch cluster is created. In this example, Alibaba Cloud Elasticsearch V6.7 is used.

    For more information, see Create an Elasticsearch cluster.

  • SNAT entries are created in the NAT gateway.

    The Alibaba Cloud Elasticsearch cluster is deployed in a Virtual Private Cloud (VPC). To ensure communication between LDAP and Elasticsearch, you must configure the SNAT entries to connect the cluster to the Internet.

  • The LDAP environment and user data are prepared.
    For more information, see LDAP official documentation.LDAP environment and user data

Background information

Note the following points when you configure LDAP:

  • You cannot configure LDAP in Alibaba Cloud Elasticsearch by yourself. If you want to use LDAP to authenticate requests sent to your Alibaba Cloud Elasticsearch cluster, you must first create an on-premises Elasticsearch cluster whose version matches that of LDAP. Use the on-premises Elasticsearch cluster to run an authentication test. If LDAP runs normally, send the corresponding configuration to the Alibaba Cloud Elasticsearch technical engineer to configure LDAP for you. Otherwise, online services may be affected. Alibaba Cloud Elasticsearch does not provide a service-level agreement (SLA) for LDAP authentication.
  • You can only configure LDAP for single-zone clusters. Multi-zone clusters are not supported.

Configure LDAP

The following two modes are provided:
  • A user search mode
  • A mode where specific templates for distinguished names (DNs) of users are configured

The user search mode is more common. In this mode, a specific user with permissions to query the LDAP directory is used to search for the DN of the authenticating user based on the username and an LDAP attribute that are provided by X-Pack. Once the DN is found, X-Pack uses the found DN and the provided password to authenticate the user by attempting to bind the user to the LDAP server.

The following mapping shows how LDAP manages a DN. Add the following configurations to the YML file of Elasticsearch.

xpack.security.authc.realms.ldap1.type: ldap
xpack.security.authc.realms.ldap1.order: 2
xpack.security.authc.realms.ldap1.url: "ldap://49.100.XX.XX:389"
xpack.security.authc.realms.ldap1.bind_dn: "cn=Manager, dc=srv, dc=world"
xpack.security.authc.realms.ldap1.bind_password: es_password
xpack.security.authc.realms.ldap1.user_search.base_dn: "ou=People,dc=srv, dc=world"
xpack.security.authc.realms.ldap1.user_search.filter: "(cn={0})"
xpack.security.authc.realms.ldap1.group_search.base_dn: "ou=Group,dc=srv, dc=world"
xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false
Parameter Description
type The type of the realm. This parameter must be set to ldap.
url The URL and port for the LDAP server. ldap indicates that a common connection and port 389 are used. ldaps indicates that an SSL-encrypted connection and port 636 are used.
bind_dn The DN of the user that is used to bind to LDAP and perform searches. This parameter is only valid in the user search mode.
bind_password The password for the user that is used to bind to the LDAP directory.
user_search.base_dn The container DN for searching for users.
group_search.base_dn The container DN for searching for groups in which the user has a group of members. When this parameter is not configured, Elasticsearch searches for the attribute specified by user_group_attribute to determine group membership.
unmapped_groups_as_roles Default value: false. If you set this parameter to true, the names of unmapped LDAP groups are used as role names.

For more information about the parameters, see Security settings in Elasticsearch.

Map roles to realm accounts

Run the following command to map an administrator role to the lettie* account:
POST _xpack/security/role_mapping/ldap_super_user? pretty
{
  "roles": [ "superuser" ],
  "enabled": true,
  "rules": {
    "any": [
      {
        "field": {
          "username": "/lettie*/"
        }
      }
    ]
  }
}

Verify the authentication result

Run the following command and use the authorized lettie account for testing:
# curl -XGET -u lettie:<password> http://es-cn-v0h1****.public.elasticsearch.aliyuncs.com:9200/_cat/indices?v
use lettie account for testing
Run the following command and use the unauthorized cent account for testing. The command output indicates that the cent account has insufficient permissions.use cent account for testing