All Products
Search
Document Center

Elasticsearch:Use X-Pack to configure LDAP authentication

Last Updated:Nov 06, 2023

This topic describes how to configure Lightweight Directory Access Protocol (LDAP) authentication for an Alibaba Cloud Elasticsearch cluster to allow LDAP users with the required roles to access the cluster.

Prerequisites

The following operations are performed:

  • Create an Alibaba Cloud Elasticsearch cluster. In this example, an Elasticsearch V6.7 cluster is used.

    For more information, see Create an Alibaba Cloud Elasticsearch cluster.

  • Activate the LDAP service in the virtual private cloud (VPC) where the Elasticsearch cluster resides, and prepare user data. In this topic, OpenLDAP 2.4.44 is used.

    For more information, see Official LDAP documentation.

Precautions

The network architecture of Alibaba Cloud Elasticsearch in different regions has been adjusted since October 2020. The adjustment has the following impacts on clusters:

  • If you want to connect a cluster that is deployed in the original network architecture to the Internet, you can use an ECS instance for which Source Network Address Translation (SNAT) is enabled or use an NGINX proxy to forward requests.

  • In the new network architecture, the LDAP authentication feature is limited. You can use the PrivateLink service to establish private connections between VPCs. For more information, see Configure a private connection for an Elasticsearch cluster. If you want to connect a cluster that is deployed in the new network architecture to the Internet, configure an NGINX proxy to forward requests.

  • In the original network architecture, only single-zone clusters support LDAP authentication.

Note

For more information about the network architecture, see [Notice] Network architecture adjustment.

Procedure

  1. Step 1: (Optional) Obtain the domain name of an endpoint

  2. Step 2: Configure LDAP authentication

  3. Step 3: Map the user to a role

  4. Step 4: Verify the result

Step 1: (Optional) Obtain the domain name of an endpoint

Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. These Elasticsearch clusters reside in the VPC of the Elasticsearch service account. If your Elasticsearch cluster is deployed in the new network architecture, you need to use the PrivateLink service to establish a private connection between the VPC and your VPC. Then, obtain the domain name of the related endpoint for future use. To obtain the domain name of an endpoint, perform the following steps:

  1. Create a Classic Load Balancer (CLB) instance that supports the PrivateLink service and resides in the same VPC as the created Elasticsearch cluster.
  2. Configure the CLB instance.

    During the configuration, you must specify the LDAP server as the backend server and port 389 as the listening port.

    For more information, see Configure a private connection for an Elasticsearch cluster.

  3. Create an endpoint service.

    For more information, see Step 2: Create an endpoint service.

  4. Configure a private connection to the Elasticsearch cluster.
  5. Obtain the domain name of the endpoint that is used to access the endpoint service.

    For more information, see Configure a private connection for an Elasticsearch cluster.

    Note Record the obtained domain name, which will be used in subsequent configurations.

Step 2: Configure LDAP authentication

You can use X-Pack to configure LDAP authentication in the following modes:

  • User search mode

  • Distinguished name (DN) template-based mode

The user search mode is commonly used. In user search mode, a user who has permissions to query the LDAP directory is used to search for the DN of a user who you want to authenticate. The search is performed based on the username and LDAP attribute that are provided by X-Pack. After the DN of the user is found, X-Pack attempts to bind the user to the LDAP directory by using the DN and the related password to authenticate the user. For more information, see Configure an LDAP realm.

The following sample code provides the mapping configurations that are required by LDAP to manage a DN. You must add the configurations to the YML file of the Elasticsearch cluster. For more information, see Configure the YML file.

  • Configurations for Elasticsearch V6.7 clusters

    xpack.security.authc.realms.ldap1.type: ldap
    xpack.security.authc.realms.ldap1.order: 2
    xpack.security.authc.realms.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389"
    xpack.security.authc.realms.ldap1.bind_dn: "cn=zhang lei,ou=support,dc=yaobili,dc=com"
    xpack.security.authc.realms.ldap1.bind_password: "yourPassword"
    xpack.security.authc.realms.ldap1.user_search.base_dn: "ou=support,dc=yaobili,dc=com"
    xpack.security.authc.realms.ldap1.user_search.filter: "(cn={0})"
    xpack.security.authc.realms.ldap1.group_search.base_dn: "ou=support,dc=yaobili,dc=com"
    xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false
  • Configurations for Elasticsearch V7.10 clusters

    xpack.security.authc.realms.ldap.ldap1.order: 2
    xpack.security.authc.realms.ldap.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389"
    xpack.security.authc.realms.ldap.ldap1.bind_dn: "cn=srd_artddffctory,ou=githab,ou=All Users,dc=motenta,dc=ai"
    xpack.security.authc.realms.ldap.ldap1.bind_password: "yourPassword"
    xpack.security.authc.realms.ldap.ldap1.user_search.base_dn: "ou=support,dc=yaobili,dc=com"
    xpack.security.authc.realms.ldap.ldap1.user_search.filter: "(cn={0})"
    xpack.security.authc.realms.ldap.ldap1.group_search.base_dn: "ou=support,dc=yaobili,dc=com"
    xpack.security.authc.realms.ldap.ldap1.unmapped_groups_as_roles: false

Parameter

Description

type

The type of the realm. You must set this parameter to ldap.

order

The priority of the realm. A small value indicates a high priority. If you want to specify multiple realms, we recommend that you configure this parameter. The realms are accessed in descending order of their priorities.

Note

For Elasticsearch V8.X clusters, the value of this parameter must be unique among different requests. We recommend that you set this parameter to 2.

url

The URL and port number that are used to connect to the LDAP server. ldap indicates that a common connection and port 389 are used. ldaps indicates that an SSL-encrypted connection and port 636 are used.

Important

If your Elasticsearch cluster is deployed in the new network architecture, you must specify a value for this parameter in the format of Domain name of the endpoint:Port number. You can obtain the domain name of the endpoint based on the instructions in Step 1: (Optional) Obtain the domain name of an endpoint. In this example, ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389 is used.

bind_dn

The DN of the user who you want to search for and bind to the LDAP directory. This parameter is valid only in user search mode.

bind_password

The password of the user.

user_search.base_dn

The container DN that is used to search for the user.

group_search.base_dn

The container DN that is used to search for the group to which the user belongs. If you do not configure this parameter, Elasticsearch searches for the attribute that is specified by the user_group_attribute parameter to determine the group to which the user belongs.

unmapped_groups_as_roles

The default value of this parameter is false. If you set this parameter to true, the names of unmapped LDAP groups are used as role names.

For more information about the parameters, see Security settings in Elasticsearch.

Step 3: Map the user to a role

  1. Log on to the Kibana console of your Elasticsearch cluster and go to the homepage of the Kibana console as prompted.
    For more information about how to log on to the Kibana console, see Log on to the Kibana console.
    Note In this example, an Elasticsearch V6.7.0 cluster is used. Operations on clusters of other versions may differ. The actual operations in the console prevail.
  2. In the left-side navigation pane of the page that appears, click Dev Tools.
  3. On the Console tab of the page that appears, run the following command to map the zhang* user to the administrator role:

    V8.X

    POST _security/role_mapping/ldap_super_user1?pretty
    {
      "roles": [ "superuser" ],
      "enabled": true,
      "rules": {
        "any": [
          {
            "field": {
              "username": "zhang*"
            }
          }
        ]
      }
    }

    Other versions

    POST _xpack/security/role_mapping/ldap_super_user1?pretty
    {
      "roles": [ "superuser" ],
      "enabled": true,
      "rules": {
        "any": [
          {
            "field": {
              "username": "zhang*"
            }
          }
        ]
      }
    }

    For more information, see Elastic versions.

Step 4: Verify the result

  1. Log on to the Kibana console of the Elasticsearch cluster by using the zhang* user.

    登录Kibana
  2. In the left-side navigation pane of the page that appears, click Dev Tools.
  3. On the Console tab of the page that appears, run the following command to check whether the zhang* user has permissions to modify the configuration of the cluster:

    PUT _cluster/settings
    {
      "persistent": {
        "action.auto_create_index": true
      }
    }

    If the result shown in the following figure is returned, the user has permissions to modify the configuration of the cluster.返回结果