Hi everybody.
Tell me please.
I'm trying to set up a config for authorization via LDAP. I can't understand this setting
xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 0
url: "ldaps://ldap.example.com:636"
ssl:
certificate_authorities: [ "cacert.pem" ]
This parameter specifies the certificate in brackets ?
Are quotation marks necessary here ("") ?
certificate_authorities: [ "cacert.pem" ]
In file elasticsearch.yml I didn't see quotes and brackets being used.
Hi,
You can go through the below URL.
xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 0
url: "ldaps://ldap.example.com:636"
ssl:
certificate_authorities: [ "cacert.pem" ]
ssl.truststore.path in LDAP realm settings.You can also specify the individual server certificates rather than the CA certificate, but this is only recommended if you have a single LDAP server or the certificates are self-signed.
url attribute in the realm configuration to specify the LDAPS protocol and the secure port number. For example, url: ldaps://ldap.example.com:636.By default, when you configure Elasticsearch to connect to an LDAP server using SSL/TLS, it attempts to verify the hostname or IP address specified with the url attribute in the realm configuration with the values in the certificate. If the values in the certificate and realm configuration do not match, Elasticsearch does not allow a connection to the LDAP server. This is done to protect against man-in-the-middle attacks. If necessary, you can disable this behavior by setting the ssl.verification_mode property to certificate.
Why did you send me something that I have already read more than once )) ?
I just wanted to understand how to correctly specify the certificate in the parameter certificate_authorities
Since in some examples on the Internet I saw that brackets are not used.
Is there any example config ldaps ?
The format mentioned in my comments should actually work fine.
I don't have any examples currently handy. But, yes you should give the certificate inside the double quotes and brackets only.
xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 2
url: "ldaps://ldap.example.com:636"
bind_dn: "cn=ldapuser, ou=users, o=services, dc=example, dc=com"
user_search:
base_dn: "ou=users, o=services, dc=example, dc=com"
group_search:
base_dn: ou=groups, o=services, dc=example, dc=com"
ssl:
verification_mode: certificate
certificate_authorities: ["/app/config/cacerts/ca.crt"]
Some settings, e.g. certificate_authorities, accept a list of strings. For these settings, if you have only one value for it, you can use the simple form of
certificate_authorities: ca.crt
or with quotes
certificate_authorities: "ca.crt"
If there are multiple values, you need use brackets and quotes, e.g.
certificate_authorities: [ "ca1.crt", "ca2.crt" ]
Thank you very much helped.
Tell me, how to force authorization from under the local account ?
I set up the config ldaps, determined the area of the OU where to look for accounts in AD. But now I can’t log in from under a local account that has superuser privileges.
This is what it says when logging in.
Of course, the user and password are entered correctly, but for some reason it does not allow me to enter
I need a local account to test ldaps settings, OU, AD groups.....
So that you can simultaneously log in through ldap and local account.
Now, once you have successfully configured LDAP, you need map the users or groups from that particular LDAP with Elasticsearch roles.
In /etc/elasticsearch/ or in the path of your installation, you'll find a file role_mapping.yml in which the users or groups need to be mapped to elasticsearch roles.
This URL might help you with it.
Thank you, I know this article.
I plan to issue accesses through the API not through the file role_mapping.yml.
But I need local accounts to remain and you can log in under them to test access through ldap, and in which case, so that the user can use the old local account.
Found a solution, if anyone is interested - you need to add an native realm in config
xpack:
security:
authc:
realms:
native:
native1:
order: 0
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
