This topic describes how to configure Lightweight Directory Access Protocol (LDAP) authentication for an Alibaba Cloud Elasticsearch cluster to allow LDAP users with the required roles to access the cluster.
Prerequisites
- An Alibaba Cloud Elasticsearch cluster is created. In this example, an Elasticsearch
V6.7 cluster is used.
For more information, see Create an Alibaba Cloud Elasticsearch cluster.
- The LDAP service is activated in the VPC where the Elasticsearch cluster resides,
and user data is prepared. In this topic, OpenLDAP 2.4.44 is used.
For more information, see Official LDAP documentation.
Precautions
The network architecture of Alibaba Cloud Elasticsearch in different regions has been adjusted since October 2020. The adjustment has the following impacts on clusters:
- Clusters that are created before October 2020 are deployed in the original network architecture. In this architecture, clusters are deployed in the VPCs that are created by users. If you want a cluster that is deployed in this architecture to access the Internet, you can use an ECS instance for which SNAT is enabled or use an NGINX proxy to forward requests.
- Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. In this network architecture, the LDAP authentication feature is limited. To resolve this issue, you can use the PrivateLink service to establish private connections between VPCs. For more information, see Configure a private connection for an Elasticsearch cluster. If you want to connect such a cluster to the Internet, configure an NGINX proxy to forward requests.
- In the original network architecture, only single-zone Elasticsearch clusters support LDAP authentication. In the new network architecture, both single-zone and multi-zone Elasticsearch clusters support LDAP authentication if you use the PrivateLink service.
Procedure
Step 1: (Optional) Obtain the domain name of an endpoint
Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. These Elasticsearch clusters reside in the VPC of the Elasticsearch service account. If your Elasticsearch cluster is deployed in the new network architecture, you need to use the PrivateLink service to establish a private connection between the VPC and your VPC. Then, obtain the domain name of the related endpoint for future use. To obtain the domain name of an endpoint, perform the following steps:
Step 2: Configure LDAP authentication
- User search mode
- Distinguished name (DN) template-based mode
The user search mode is commonly used. In user search mode, a user who has permissions to query the LDAP directory is used to search for the DN of a user who you want to authenticate. The search is performed based on the username and LDAP attribute that are provided by X-Pack. After the DN of the user is found, X-Pack attempts to bind the user to the LDAP directory by using the DN and the related password to authenticate the user. For more information, see Configure an LDAP realm.
- Configurations for Elasticsearch V6.7 clusters
xpack.security.authc.realms.ldap1.type: ldap xpack.security.authc.realms.ldap1.order: 0 xpack.security.authc.realms.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389" xpack.security.authc.realms.ldap1.bind_dn: "cn=zhang lei,ou=support,dc=yaobili,dc=com" xpack.security.authc.realms.ldap1.bind_password: "yourPassword" xpack.security.authc.realms.ldap1.user_search.base_dn: "ou=support,dc=yaobili,dc=com" xpack.security.authc.realms.ldap1.user_search.filter: "(cn={0})" xpack.security.authc.realms.ldap1.group_search.base_dn: "ou=support,dc=yaobili,dc=com" xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false
- Configurations for Elasticsearch V7.10 clusters
xpack.security.authc.realms.ldap.ldap1.order: 0 xpack.security.authc.realms.ldap.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389" xpack.security.authc.realms.ldap.ldap1.bind_dn: "cn=srd_artddffctory,ou=githab,ou=All Users,dc=motenta,dc=ai" xpack.security.authc.realms.ldap.ldap1.bind_password: "yourPassword" xpack.security.authc.realms.ldap.ldap1.user_search.base_dn: "ou=support,dc=yaobili,dc=com" xpack.security.authc.realms.ldap.ldap1.user_search.filter: "(cn={0})" xpack.security.authc.realms.ldap.ldap1.group_search.base_dn: "ou=support,dc=yaobili,dc=com" xpack.security.authc.realms.ldap.ldap1.unmapped_groups_as_roles: false
Parameter | Description |
---|---|
type | The type of the realm. You must set this parameter to ldap. |
order | The priority of the realm. A small value indicates a high priority. If you want to specify multiple realms, we recommend that you configure this parameter. The realms are accessed in descending order of their priorities. |
url | The URL and port number that are used to connect to the LDAP server. ldap indicates that a common connection and port 389 are used. ldaps indicates that an SSL-encrypted connection and port 636 are used.
Notice If your Elasticsearch cluster is deployed in the new network architecture, you must
specify a value for this parameter in the format of Domain name of the endpoint:Port number. You can obtain the domain name of the endpoint based on the instructions in Step 1: (Optional) Obtain the domain name of an endpoint. In this example,
ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389 is used.
|
bind_dn | The DN of the user who you want to search for and bind to the LDAP directory. This parameter is valid only in user search mode. |
bind_password | The password of the user. |
user_search.base_dn | The container DN that is used to search for the user. |
group_search.base_dn | The container DN that is used to search for the group to which the user belongs. If you do not configure this parameter, Elasticsearch searches for the attribute that is specified by the user_group_attribute parameter to determine the group to which the user belongs. |
unmapped_groups_as_roles | The default value of this parameter is false. If you set this parameter to true, the names of unmapped LDAP groups are used as role names. |
For more information about the parameters, see Security settings in Elasticsearch.