In the example above, the CA certificate must be PEM encoded.PKCS#12 and JKS files are also supported - see the description of ssl.truststore.path in LDAP realm settings.
You can also specify the individual server certificates rather than the CA certificate, but this is only recommended if you have a single LDAP server or the certificates are self-signed.
Set the url attribute in the realm configuration to specify the LDAPS protocol and the secure port number. For example, url: ldaps://ldap.example.com:636.
Restart Elasticsearch.
By default, when you configure Elasticsearch to connect to an LDAP server using SSL/TLS, it attempts to verify the hostname or IP address specified with the url attribute in the realm configuration with the values in the certificate. If the values in the certificate and realm configuration do not match, Elasticsearch does not allow a connection to the LDAP server. This is done to protect against man-in-the-middle attacks. If necessary, you can disable this behavior by setting the ssl.verification_mode property to certificate.
Why did you send me something that I have already read more than once )) ?
I just wanted to understand how to correctly specify the certificate in the parameter certificate_authorities
Since in some examples on the Internet I saw that brackets are not used.
Is there any example config ldaps ?
Some settings, e.g. certificate_authorities, accept a list of strings. For these settings, if you have only one value for it, you can use the simple form of
certificate_authorities: ca.crt
or with quotes
certificate_authorities: "ca.crt"
If there are multiple values, you need use brackets and quotes, e.g.
Thank you very much helped.
Tell me, how to force authorization from under the local account ?
I set up the config ldaps, determined the area of the OU where to look for accounts in AD. But now I can’t log in from under a local account that has superuser privileges.
This is what it says when logging in.
Of course, the user and password are entered correctly, but for some reason it does not allow me to enter
Now, once you have successfully configured LDAP, you need map the users or groups from that particular LDAP with Elasticsearch roles.
In /etc/elasticsearch/ or in the path of your installation, you'll find a file role_mapping.yml in which the users or groups need to be mapped to elasticsearch roles.
Thank you, I know this article.
I plan to issue accesses through the API not through the file role_mapping.yml.
But I need local accounts to remain and you can log in under them to test access through ldap, and in which case, so that the user can use the old local account.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.