Configure LDAP Authentication

Hello

I want to configure LDAP authentication for my elastic cluster.
On a test cluster I can check the configs before going to production. For this I use docker with this git repo.

elasticsearch.yml

cluster.name: docker-cluster
network.host: 0.0.0.0

## X-Pack settings
## see https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
#
xpack.license.self_generated.type: trial
xpack.security.enabled: true

xpack:
  security:
    authc:
      realms:
        ldap:
          ldap:
            order: 0
            enabled: true
            cache.ttl: 1m
            url: "ldap://ldap.example.ch:389"
            bind_dn: "uid=binduser,cn=users,cn=accounts,dc=example,dc=ch"
            user_search:
              base_dn: "cn=users ,dc=example,dc=ch"
              filter: "(cn={0})"
            group_search:
              base_dn: "cn=groups,cn=accounts,dc=example,dc=ch"
            unmapped_groups_as_roles: false

role-mapping.yml

superuser:
  - "uid=testuser,cn=users,cn=accounts,dc=example,dc=ch"

I did start the cluster and create the password entry in the keytab with this command:

bin/elasticsearch-keystore add \
xpack.security.authc.realms.ldap.ldap.secure_bind_password

then I copy the elasticsearch.keystore file to the host and mount it inside the container.

docker-compose.yml


version: '3.7'

services:

  # The 'setup' service runs a one-off script which initializes users inside
  # Elasticsearch — such as 'logstash_internal' and 'kibana_system' — with the
  # values of the passwords defined in the '.env' file. It also creates the
  # roles required by some of these users.
  #
  # This task only needs to be performed once, during the *initial* startup of
  # the stack. Any subsequent run will reset the passwords of existing users to
  # the values defined inside the '.env' file, and the built-in roles to their
  # default permissions.
  #
  # By default, it is excluded from the services started by 'docker compose up'
  # due to the non-default profile it belongs to. To run it, either provide the
  # '--profile=setup' CLI flag to Compose commands, or "up" the service by name
  # such as 'docker compose up setup'.
  setup:
    profiles:
      - setup
    build:
      context: setup/
      args:
        ELASTIC_VERSION: ${ELASTIC_VERSION}
    init: true
    volumes:
      - ./setup/entrypoint.sh:/entrypoint.sh:ro,Z
      - ./setup/lib.sh:/lib.sh:ro,Z
      - ./setup/roles:/roles:ro,Z
    environment:
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
      LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
      KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
      METRICBEAT_INTERNAL_PASSWORD: ${METRICBEAT_INTERNAL_PASSWORD:-}
      FILEBEAT_INTERNAL_PASSWORD: ${FILEBEAT_INTERNAL_PASSWORD:-}
      HEARTBEAT_INTERNAL_PASSWORD: ${HEARTBEAT_INTERNAL_PASSWORD:-}
      MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
    networks:
      - elk
    depends_on:
      - elasticsearch

  elasticsearch:
    build:
      context: elasticsearch/
      args:
        ELASTIC_VERSION: ${ELASTIC_VERSION}
    volumes:
      - ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro,Z
      - elasticsearch:/usr/share/elasticsearch/data:Z
      - ./elasticsearch/config/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore
      - ./elasticsearch/config/role_mapping.yml:/usr/share/elasticsearch/config/role_mapping.yml
    ports:
      - 9200:9200
      - 9300:9300
    environment:
      node.name: elasticsearch
      ES_JAVA_OPTS: -Xms512m -Xmx512m
      # Bootstrap password.
      # Used to initialize the keystore during the initial startup of
      # Elasticsearch. Ignored on subsequent runs.
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
      # Use single node discovery in order to disable production mode and avoid bootstrap checks.
      # see: https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
      discovery.type: single-node
    networks:
      - elk
    restart: unless-stopped

  logstash:
    build:
      context: logstash/
      args:
        ELASTIC_VERSION: ${ELASTIC_VERSION}
    volumes:
      - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro,Z
      - ./logstash/pipeline:/usr/share/logstash/pipeline:ro,Z
    ports:
      - 5044:5044
      - 50000:50000/tcp
      - 50000:50000/udp
      - 9600:9600
    environment:
      LS_JAVA_OPTS: -Xms256m -Xmx256m
      LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
    networks:
      - elk
    depends_on:
      - elasticsearch
    restart: unless-stopped

  kibana:
    build:
      context: kibana/
      args:
        ELASTIC_VERSION: ${ELASTIC_VERSION}
    volumes:
      - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro,Z
    ports:
      - 5601:5601
    environment:
      KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
    networks:
      - elk
    depends_on:
      - elasticsearch
    restart: unless-stopped

networks:
  elk:
    driver: bridge

volumes:
  elasticsearch:

at startup i get this error

docker-elk-elasticsearch-1 | {"@timestamp":"2024-01-05T12:11:26.245Z", "log.level":"ERROR", "message":"node validation exception\n[1] bootstrap checks failed. You must address the points described in the following [1] lines before starting Elasticsearch. For more information see [https://www.elastic.co/guide/en/elasticsearch/reference/8.11/bootstrap-checks.html]\nbootstrap check failure [1] of [1]: Role mapping file [/usr/share/elasticsearch/config/ES_PATH_CONF/role_mapping.yml] for realm [ldap] does not exist.; for more information see [https://www.elastic.co/guide/en/elasticsearch/reference/8.11/bootstrap-checks-xpack.html#_role_mappings_check]", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"main","log.logger":"org.elasticsearch.bootstrap.Elasticsearch","elasticsearch.node.name":"elasticsearch","elasticsearch.cluster.name":"docker-cluster"}

when I remove the mount and the entrys in the elasicsearch.yml file for the role_mapping.yml the cluster starts normaly

I do then add the mapping with the console

PUT /_security/role_mapping/admins
{
  "roles" : [ "monitoring" , "user" ],
  "rules" : { "field" : {
    "groups" : "cn=employees,cn=groups,cn=accounts,dc=example,dc=ch" 
  } },
  "enabled": true
}

Now when i want to login i get this error in the logs.

docker-elk-kibana-1 | [2024-01-05T12:29:40.984+00:00][INFO ][plugins.security.routes] Logging in with provider "basic" (basic)

It seems, that kibana wants to use the builtin Realm instead of the configured ldap Realm. How can I resolv this issue?

any help is appreciated

Hi @kadmin!

[plugins.security.routes] Logging in with provider "basic" (basic)

I believe this is by design. ldap realm in Elasticsearch will be used by Kibana for it's basic realm. More documentation about that: Authentication in Kibana | Kibana Guide [8.11] | Elastic

thank you for your reply. It makes sense now, that elastic uses LDAP as basic Authentication.
Nonetheless I can not sign in and in the logs I do not see a reason for it. Where can I get more infos about this?

I have found the command to raise the log level for ldap Realms.

PUT /_cluster/settings
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc.ldap": "DEBUG"
  }
}

But it seems to not change anything, I still get the single line in the log file.

[2024-01-05T15:32:18.064+00:00][INFO ][plugins.security.routes] Logging in with provider "basic" (basic)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.