Elastic 7.6.2 - LDAP Realm
Elastic 7.6.2 - LDAP Realm
Configuring a LDAP realm along with the native.
Join the DZone community and get the full member experience.Join For Free
It is a short howto guide which shall talk about adding a LDAP realm to an elasticsearch 7.6.2 cluster.
It is a concept not alien to IDAM professionals. In simple words it is a system that allows you to authenticate and authorize an incoming request. It will define the entity USER, that may include at a bare minimum (not limited to)
- A unique name, which can be queried upon
- Password, which can be validated
- Roles that defines its access privileges for resources mapped to.
The official documentation is available here
To being with, have a local ldap instance configured. In my case I am using Openldap configured on a Centos 7.0 machine ldap.myserver.com.
In my elasticsearch cluster I have setup my cluster as following.
The master node is `node2.elasticsearch.node`.
For managing my ldap - , I am using a free tool Jxplorer to connect. The connection settings are as under
I have pre-configured few users and groups. (LDIF) looks as under
I have security enabled for my elasticsearch cluster and SSL communication as well (using self-signed certificates)
As you can see the order for secldap is `1` and as result if the same user exists in both realms (native & ldap) it will be first checked against native.
I have disabled the SSL verification, but if you have the ca cert added you can simply enable it. Essentially I have integrated the LDAP with the elasticsearch, once restarted this realm is available to be evaluated against.
At the moment there is no role mapping defined let me create a user role in Kibana.
Let's use the role_mapping API to define a mapping
I have defined a mapping to add the role - `user` for any USER in ldap.
If call is successful it should return
Now let's use the _authenticate api for a non existent user - user4 which we will soon add to the ldap.
As expected the user is denied access.
Let's add the user to ldap but let's not add as a member of any group.
I have added user4 with password admin. Let us try the access again.
You can see the added user successfully authenticates, and has no ldap group membership. How about adding the membership and role mapping in roles_mapping.yml.
Once added let's execute the _authenticate api again.
In case you do not get the group membership, please clear the realm cache which is usually valid for 20 mins.
This bring us to the end of the blog. In summary, I showed how easy it is to configure the realm and once restarted you can easily add role mappings using API or role_mapping.yml. In case of questions please feel free to drop comments.
-- THE - END --
Opinions expressed by DZone contributors are their own.