This topic describes how to configure Lightweight Directory Access Protocol (LDAP) authentication for an Alibaba Cloud Elasticsearch cluster to allow LDAP users with the required roles to access the cluster.

Prerequisites

  • An Alibaba Cloud Elasticsearch cluster is created. In this example, an Elasticsearch V6.7 cluster is used.

    For more information, see Create an Alibaba Cloud Elasticsearch cluster.

  • The LDAP service is activated in the VPC where the Elasticsearch cluster resides, and user data is prepared. In this topic, OpenLDAP 2.4.44 is used.

    For more information, see Official LDAP documentation.

Precautions

The network architecture of Alibaba Cloud Elasticsearch in different regions has been adjusted since October 2020. The adjustment has the following impacts on clusters:

  • Clusters that are created before October 2020 are deployed in the original network architecture. In this architecture, clusters are deployed in the VPCs that are created by users. If you want a cluster that is deployed in this architecture to access the Internet, you can use an ECS instance for which SNAT is enabled or use an NGINX proxy to forward requests.
  • Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. In this network architecture, the LDAP authentication feature is limited. To resolve this issue, you can use the PrivateLink service to establish private connections between VPCs. For more information, see Configure a private connection for an Elasticsearch cluster. If you want to connect such a cluster to the Internet, configure an NGINX proxy to forward requests.
  • In the original network architecture, only single-zone Elasticsearch clusters support LDAP authentication. In the new network architecture, both single-zone and multi-zone Elasticsearch clusters support LDAP authentication if you use the PrivateLink service.

Procedure

  1. Step 1: (Optional) Obtain the domain name of an endpoint
  2. Step 2: Configure LDAP authentication
  3. Step 3: Map the user to a role
  4. Step 4: Verify the result

Step 1: (Optional) Obtain the domain name of an endpoint

Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. These Elasticsearch clusters reside in the VPC of the Elasticsearch service account. If your Elasticsearch cluster is deployed in the new network architecture, you need to use the PrivateLink service to establish a private connection between the VPC and your VPC. Then, obtain the domain name of the related endpoint for future use. To obtain the domain name of an endpoint, perform the following steps:

  1. Create a Classic Load Balancer (CLB) instance that supports the PrivateLink service and resides in the same VPC as the created Elasticsearch cluster.
  2. Configure the CLB instance.
    During the configuration, you must specify the LDAP server as the backend server and port 389 as the listening port.

    For more information, see Step 2: Configure the CLB instance.

  3. Create an endpoint service.

    For more information, see Step 3: Create an endpoint service.

  4. Configure a private connection to the Elasticsearch cluster.
  5. Obtain the domain name of the endpoint that is used to access the endpoint service.

    For more information, see View the domain name of an endpoint.

    Note Record the obtained domain name, which will be used in subsequent configurations.

Step 2: Configure LDAP authentication

You can use X-Pack to configure LDAP authentication in the following modes:
  • User search mode
  • Distinguished name (DN) template-based mode

The user search mode is commonly used. In user search mode, a user who has permissions to query the LDAP directory is used to search for the DN of a user who you want to authenticate. The search is performed based on the username and LDAP attribute that are provided by X-Pack. After the DN of the user is found, X-Pack attempts to bind the user to the LDAP directory by using the DN and the related password to authenticate the user. For more information, see Configure an LDAP realm.

The following sample code provides the mapping configurations that are required by LDAP to manage a DN. You must add the configurations to the YML file of the Elasticsearch cluster. For more information, see Configure the YML file.
  • Configurations for Elasticsearch V6.7 clusters
    xpack.security.authc.realms.ldap1.type: ldap
xpack.security.authc.realms.ldap1.order: 0
xpack.security.authc.realms.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389"
xpack.security.authc.realms.ldap1.bind_dn: "cn=zhang lei,ou=support,dc=yaobili,dc=com"
xpack.security.authc.realms.ldap1.bind_password: "yourPassword"
xpack.security.authc.realms.ldap1.user_search.base_dn: "ou=support,dc=yaobili,dc=com"
xpack.security.authc.realms.ldap1.user_search.filter: "(cn={0})"
xpack.security.authc.realms.ldap1.group_search.base_dn: "ou=support,dc=yaobili,dc=com"
xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false
  • Configurations for Elasticsearch V7.10 clusters
    xpack.security.authc.realms.ldap.ldap1.order: 0
xpack.security.authc.realms.ldap.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389"
xpack.security.authc.realms.ldap.ldap1.bind_dn: "cn=srd_artddffctory,ou=githab,ou=All Users,dc=motenta,dc=ai"
xpack.security.authc.realms.ldap.ldap1.bind_password: "yourPassword"
xpack.security.authc.realms.ldap.ldap1.user_search.base_dn: "ou=support,dc=yaobili,dc=com"
xpack.security.authc.realms.ldap.ldap1.user_search.filter: "(cn={0})"
xpack.security.authc.realms.ldap.ldap1.group_search.base_dn: "ou=support,dc=yaobili,dc=com"
xpack.security.authc.realms.ldap.ldap1.unmapped_groups_as_roles: false
Parameter Description
type The type of the realm. You must set this parameter to ldap.
order The priority of the realm. A small value indicates a high priority. If you want to specify multiple realms, we recommend that you configure this parameter. The realms are accessed in descending order of their priorities.
url The URL and port number that are used to connect to the LDAP server. ldap indicates that a common connection and port 389 are used. ldaps indicates that an SSL-encrypted connection and port 636 are used.
Notice If your Elasticsearch cluster is deployed in the new network architecture, you must specify a value for this parameter in the format of Domain name of the endpoint:Port number. You can obtain the domain name of the endpoint based on the instructions in Step 1: (Optional) Obtain the domain name of an endpoint. In this example, ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389 is used.
bind_dn The DN of the user who you want to search for and bind to the LDAP directory. This parameter is valid only in user search mode.
bind_password The password of the user.
user_search.base_dn The container DN that is used to search for the user.
group_search.base_dn The container DN that is used to search for the group to which the user belongs. If you do not configure this parameter, Elasticsearch searches for the attribute that is specified by the user_group_attribute parameter to determine the group to which the user belongs.
unmapped_groups_as_roles The default value of this parameter is false. If you set this parameter to true, the names of unmapped LDAP groups are used as role names.

For more information about the parameters, see Security settings in Elasticsearch.

Step 3: Map the user to a role

  1. Log on to the Kibana console of your Elasticsearch cluster and go to the homepage of the Kibana console as prompted.
    For more information about how to log on to the Kibana console, see Log on to the Kibana console.
    Note In this example, an Elasticsearch V6.7.0 cluster is used. Operations on clusters of other versions may differ. The actual operations in the console prevail.
  2. In the left-side navigation pane of the page that appears, click Dev Tools.
  3. On the Console tab of the page that appears, run the following command to map the zhang* user to the administrator role: 
    POST _xpack/security/role_mapping/ldap_super_user1?pretty
{
  "roles": [ "superuser" ],
  "enabled": true,
  "rules": {
    "any": [
      {
        "field": {
          "username": "zhang*"
        }
      }
    ]
  }
}

Step 4: Verify the result

  1. Log on to the Kibana console of the Elasticsearch cluster by using the zhang* user.
    Log on to the Kibana console
  2. In the left-side navigation pane of the page that appears, click Dev Tools.
  3. On the Console tab of the page that appears, run the following command to check whether the zhang* user has permissions to modify the configuration of the cluster: 
    PUT _cluster/settings
{
  "persistent": {
    "action.auto_create_index": true
  }
}
    If the result shown in the following figure is returned, the user has permissions to modify the configuration of the cluster. Command output