{{announcement.body}}
{{announcement.title}}

Elastic 7.6.2 - LDAP Realm

DZone 's Guide to

Elastic 7.6.2 - LDAP Realm

Configuring a LDAP realm along with the native.

· Integration Zone ·
Free Resource

It is a short howto guide which shall talk about adding a LDAP realm to an elasticsearch 7.6.2 cluster.

Realms

It is a concept not alien to IDAM professionals. In simple words it is a system that allows you to authenticate and authorize an incoming request. It will define the entity USER, that may include at a bare minimum (not limited to)

  • A unique name, which can be queried upon
  • Password, which can be validated
  • Roles that defines its access privileges for resources mapped to.

The official documentation is available here

Prerequisites

To being with, have a local ldap instance configured. In my case I am using Openldap configured on a Centos 7.0 machine ldap.myserver.com.

Plain Text
 




x


 
1
netstat -antup | grep slapd
2
 
          
3
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      216270/slapd        
4
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      216270/slapd        
5
tcp6       0      0 :::389                  :::*                    LISTEN      216270/slapd        
6
tcp6       0      0 :::636                  :::*                    LISTEN      216270/slapd



In my elasticsearch cluster I have setup my cluster as following.

HTTP
 







The master node is `node2.elasticsearch.node`.

For managing my ldap - , I am using a free tool Jxplorer to connect. The connection settings are as under

Plain Text
 







I have pre-configured few users and groups. (LDIF) looks as under

Plain Text







I have security enabled for my elasticsearch cluster and SSL communication as well (using self-signed certificates)

Elasticsearch Configuration

YAML







As you can see the order for secldap is `1` and as result if the same user exists in both realms (native & ldap) it will be first checked against native.

YAML







I have disabled the SSL verification, but if you have the ca cert added you can simply enable it. Essentially I have integrated the LDAP with the elasticsearch, once restarted this realm is available to be evaluated against.

At the moment there is no role mapping defined let me create a user role in Kibana.


Let's use the role_mapping API to define a mapping

HTTP







I have defined a mapping to add the role - `user` for any USER in ldap.

If call is successful it should return

Java
 




xxxxxxxxxx
1


 
1
{
2
  "role_mapping" : {
3
    "created" : true
4
  }
5
}
6
 
          



Now let's use the _authenticate api for a non existent user - user4 which we will soon add to the ldap.

HTTP







As expected the user is denied access.

Let's add the user to ldap but let's not add as a member of any group.

I have added user4 with password admin. Let us try the access again.

HTTP







You can see the added user successfully authenticates, and has no ldap group membership. How about adding the membership and role mapping in roles_mapping.yml.

YAML







Once added let's execute the _authenticate api again.

HTTP







In case you do not get the group membership, please clear the realm cache which is usually valid for 20 mins.

HTTP







This bring us to the end of the blog. In summary, I showed how easy it is to configure the realm and once restarted you can easily add role mappings using API or role_mapping.yml. In case of questions please feel free to drop comments.


-- THE - END --

Topics:
elasticsearch, integration, openldap, realms, tutorial

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}