All Products
Search

This Product

    Elasticsearch:Integrate X-Pack with LDAP authentication

    Document Center

    Elasticsearch:Integrate X-Pack with LDAP authentication

    Last Updated:Jun 21, 2026

    This topic describes how to configure Lightweight Directory Access Protocol (LDAP) authentication for an Alibaba Cloud Elasticsearch instance. This allows LDAP users with assigned roles to access the instance.

    Prerequisites

    Complete the following prerequisites:

    • Created an Alibaba Cloud Elasticsearch instance. This topic uses an instance of version 6.7 as an example.

      For more information, see Create an Alibaba Cloud Elasticsearch instance.

    • Set up an LDAP service and user data in the same VPC as your Alibaba Cloud Elasticsearch instance. This topic uses OpenLDAP 2.4.44 as an example.

      For details, see the official LDAP documentation. Example of LDAP data: When viewed by using phpLDAPadmin, the root node of the directory tree is dc=yaobili,dc=com, which contains multiple organizational units (ou) and user entries (cn).

      Configuration by organizational unit (ou) is not supported. Only cn and group are supported.

    Usage notes

    Since October 2020, Alibaba Cloud Elasticsearch has adjusted its network architecture in different regions. This change affects newly created instances:

    • For instances created on the old network architecture, you can use SNAT or a self-managed NGINX proxy to access the internet.

    • For instances created on the new network architecture, network restrictions apply to the LDAP feature. You can use PrivateLink to establish a private connection between VPCs. For more information about how to configure PrivateLink, see Configure a private connection for an instance. If you need to access the internet, you must configure an NGINX proxy to forward requests.

    • For instances created on the old network architecture, Alibaba Cloud Elasticsearch supports LDAP authentication only in a single availability zone.

    Note

    For more information about the network architecture, see [Notice] Network architecture adjustment.

    Procedure

    1. Step 1: Obtain an endpoint domain name (optional)

    2. Step 2: Configure LDAP authentication

    3. Step 3: Map LDAP user accounts to roles

    4. Step 4: Verify the results

    Step 1: Obtain an endpoint domain name (optional)

    Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. These Elasticsearch clusters reside in the VPC of the Elasticsearch service account. If your Elasticsearch cluster is deployed in the new network architecture, you need to use the PrivateLink service to establish a private connection between the VPC and your VPC. Then, obtain the domain name of the related endpoint for future use. To obtain the domain name of an endpoint, perform the following steps:

    1. Create a Classic Load Balancer (CLB) instance that supports the PrivateLink service and resides in the same VPC as the created Elasticsearch cluster.

      For more information, see Configure a PrivateLink connection.

    2. Configure the load balancer instance.

      When configuring the instance, set the server that hosts your LDAP service as a backend server and the listener port to 389.

      For more information, see Configure a PrivateLink connection.

    3. Create an endpoint service.

      For more information, see Configure a PrivateLink connection.

    4. Configure a private connection to the Elasticsearch cluster.

      For more information, see Configure a PrivateLink connection.

    5. Obtain the domain name of the endpoint that is used to access the endpoint service.

      For more information, see Configure a PrivateLink connection.

      Note Record the obtained domain name, which will be used in subsequent configurations.

    Step 2: Configure LDAP authentication

    You can configure LDAP authentication for X-Pack in one of the following two modes:

    • user search mode

    • DN template mode

    The user search mode is the most common method. In this mode, a privileged user searches the LDAP directory for the distinguished name (DN) of the user being authenticated. The search uses the username received by X-Pack and an LDAP attribute filter. After finding the DN, X-Pack binds to the directory with the DN and password to authenticate the user. For more information, see Configure an LDAP realm.

    The following examples show how the LDAP management DN is mapped. You must add the required configuration to the Elasticsearch YML file. For more information, see Configure YML parameters. The configuration varies based on the version of your Alibaba Cloud Elasticsearch instance.

    • Version 6.7

      xpack.security.authc.realms.ldap1.type: ldap
xpack.security.authc.realms.ldap1.order: 2
xpack.security.authc.realms.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389"
xpack.security.authc.realms.ldap1.bind_dn: "admin@yaobili.com"
xpack.security.authc.realms.ldap1.bind_password: "yourPassword"
xpack.security.authc.realms.ldap1.user_search.base_dn: "dc=yaobili,dc=com"
xpack.security.authc.realms.ldap1.user_search.filter: "(cn={0})"
xpack.security.authc.realms.ldap1.group_search.base_dn: "dc=yaobili,dc=com"
xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false

    • Version 7.10 and later

      xpack.security.authc.realms.ldap.ldap1.order: 2
xpack.security.authc.realms.ldap.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389"
xpack.security.authc.realms.ldap.ldap1.bind_dn: "admin@yaobili.com"
xpack.security.authc.realms.ldap.ldap1.bind_password: "yourPassword"
xpack.security.authc.realms.ldap.ldap1.user_search.base_dn: "dc=yaobili,dc=com"
xpack.security.authc.realms.ldap.ldap1.user_search.filter: "(cn={0})"
xpack.security.authc.realms.ldap.ldap1.group_search.base_dn: "dc=yaobili,dc=com"
xpack.security.authc.realms.ldap.ldap1.unmapped_groups_as_roles: false

    Parameter

    Description

    type

    The realm type. This parameter must be set to ldap.

    order

    The priority of the realm. A smaller value indicates a higher priority. If you specify multiple realms in your configuration, we recommend that you configure this parameter. The system first accesses the realm with the smaller order value.

    Note

    For version 8.x, the order value must be unique. We recommend that you set the value to 2.

    url

    The URL and port of the LDAP server. The ldap protocol indicates a standard connection on port 389. The ldaps protocol indicates a secure connection over SSL on port 636.

    Important

    For the new network architecture, you must set this parameter to endpoint domain name:port. You can obtain the endpoint domain name in Step 1: Obtain an endpoint domain name (optional). This topic uses ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389 as an example.

    bind_dn

    The DN of the user that is used to bind to LDAP and perform searches. This parameter applies only to the user search mode.

    bind_password

    The password of the user that is used to bind to the LDAP directory.

    user_search.base_dn

    The container DN for user searches.

    group_search.base_dn

    The container DN used to search for the groups to which a user belongs. If this parameter is not specified, Elasticsearch searches for the attribute specified by user_group_attribute to determine group membership.

    unmapped_groups_as_roles

    The default value is false. If this parameter is set to true, the names of any unmapped LDAP groups are used as role names and assigned to the user.

    For more information about the parameters, see Security settings in Elasticsearch.

    Step 3: Map LDAP user accounts to roles

    1. Log on to the Kibana console of your Elasticsearch cluster.

      For instructions, see Log on to the Kibana console.

      Note

      Examples here use Elasticsearch V6.7.0. Operations may vary slightly for other versions.

    2. In the left-side navigation pane, click Developer Tools.

    3. In the Console, run the following command to map LDAP users matching zhang* to the superuser role.

      Version 8.x

      POST _security/role_mapping/ldap_super_user1?pretty
{
  "roles": [ "superuser" ],
  "enabled": true,
  "rules": {
    "any": [
      {
        "field": {
          "username": "zhang*"
        }
      }
    ]
  }
}

      Other versions

      POST _xpack/security/role_mapping/ldap_super_user1?pretty
{
  "roles": [ "superuser" ],
  "enabled": true,
  "rules": {
    "any": [
      {
        "field": {
          "username": "zhang*"
        }
      }
    ]
  }
}

      For more information, see the documentation for your Elasticsearch version.

    Step 4: Verify the results

    1. Log on to the Kibana console of your Alibaba Cloud Elasticsearch instance as an authorized zhang* user.

    2. In the left-side navigation pane, click Developer Tools.

    3. In the Console, run the following command to verify that the zhang* user has the permissions to modify cluster settings.

      PUT _cluster/settings
{
  "persistent": {
    "action.auto_create_index": true
  }
}

      A successful command returns the following response:

      {
  "acknowledged" : true,
  "persistent" : {
    "action" : {
      "auto_create_index" : "true"
    }
  },
  "transient" : { }
}