How to configure ldap on elasticsearch

Hello Team,

I'm trying to configure ldap on xpack enabled elasticsearch cluster. Below is my docker compose file to deploy the stack . I couldn't find any documents how to do this. Also is there a way that i can pass all these ldap settings as environment variable while deploying the stack. I'm here to find how do i configure ldap settings on elasticsearch nodes.

version: "3.4"
 
networks:
  net:
    driver: overlay
    attachable: true

volumes:
  elastic_data01:
    driver: netapp
    driver_opts:
      size: 50G
  elastic_data02:
    driver: netapp
    driver_opts:
      size: 50G

services:
  elasticsearch01:
    image: elasticsearch:7.2.0
    networks:
      - net
    volumes:
      - elastic_data01:/usr/share/elasticsearch/data    
    environment:
      - ES_JAVA_OPTS=-Xms512m -Xmx512m
      - xpack.security.enabled=true
      - xpack.license.self_generated.type=basic
      - cluster.name=docker-cluster
      - http.cors.enabled=true
      - http.cors.allow-origin=*
      - ELASTIC_PASSWORD=xxx
      - cluster.initial_master_nodes=elasticsearch01,elasticsearch02
      - node.name=elasticsearch01
      - discovery.seed_hosts=elasticsearch02
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate 
      -xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/elasticsearch01/elasticsearch01.crt
      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/elasticsearch01/elasticsearch01.key
    deploy:
      mode: replicated
      replicas: 1 

  elasticsearch02:
    image: elasticsearch:7.2.0
    networks:
      - net
    volumes:
      - elastic_data02:/usr/share/elasticsearch/data
    environment:
      - ES_JAVA_OPTS=-Xms512m -Xmx512m
      - xpack.security.enabled=true
      - xpack.license.self_generated.type=basic
      - cluster.name=docker-cluster
      - http.cors.enabled=true
      - http.cors.allow-origin=*
      - ELASTIC_PASSWORD=xxx
      - cluster.initial_master_nodes=elasticsearch01,elasticsearch02
      - node.name=elasticsearch02
      - discovery.seed_hosts=elasticsearch01
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate 
      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt
      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/elasticsearch02/elasticsearch02.crt
      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/elasticsearch02/elasticsearch02.key
      - xpack.security.authc.realms.ldap.enabled
    deploy:
      mode: replicated
      replicas: 1

  kibana:
    image: kibana:7.2.0
    ports:
      - "5601:5601"
    networks:
      - net
    environment:
      - xpack.monitoring.ui.container.elasticsearch.enabled=true
      - ELASTICSEARCH_USERNAME=elastic
      - ELASTICSEARCH_PASSWORD=xxx
      - ELASTICSEARCH_HOSTS=["http://elasticsearch01:9200/","http://elasticsearch02:9200/"]
    deploy:
      mode: replicated
      replicas: 1
 
  logstash:
    image: logstash:7.2.0
    ports:
      - "9201:9201"
      - "12201:12201/udp"
    networks:
      - net
    environment:
      -  xpack.monitoring.enabled=true
      -  xpack.monitoring.elasticsearch.hosts=["http://elasticsearch01:9200/","http://elasticsearch02:9200/"]
      -  xpack.monitoring.elasticsearch.url=["http://elasticsearch01:9200/","http://elasticsearch02:9200/"]
      -  xpack.monitoring.elasticsearch.username=elastic
      -  xpack.monitoring.elasticsearch.password=XXXX
    deploy:
      mode: replicated
      replicas:  1

xpack:
  security:
    authc:
      realms:
        active_directory:
          xxx:
            order: 0 
            domain_name: xxx
            url: ldap://xxx.com
            bind_dn: xxx

Hi,

Have you seen our docker docs here and here ? These contain examples on how to pass the settings or how to bind mount an elasticsearch.yml

Below is my elasticserach.yml file with configurations

cluster.name: "docker-cluster"
network.host: 0.0.0.0
xpack: 
  security: 
    authc: 
      realms: 
        active_directory: 
          xxx: 
            domain_name: xxx.xxx.net
            order: 0
            url: "ldap://xxx.xxx.net"

When I try using my AD acc to login , i'm seeing below error:

{"type": "server", "timestamp": "2019-08-09T18:34:34,764+0000", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "docker-cluster", "node.name": "elasticsearch01", "cluster.uuid": "1JE9z-OiQnqX2CpU3So2YQ", "node.id": "PCw__y7qQJePgGCeZxwQ1w", "message": "Authentication failed using realms [reserved/reserved,file/default_file,native/default_native]. Realms [active_directory/xxx] were skipped because they are not permitted on the current license" } I have basic license enabled on the systems

Here's the latest update:

I'm able to integrate AD with elasicsearch only with licence mode "TRIAL" licence *NOT with "BASIC".
When I read your docs, it was mentioned as basic license should support ldap/ad. Please correct me if i'm wrong.

No this is not correct, ldap and ad authentication is not available with a basic license, see Subscriptions | Elastic Stack Products & Support | Elastic and Security for Elasticsearch is now free | Elastic Blog

When I read your docs, it was mentioned as basic license should support ldap/ad. Please correct me if i'm wrong.

If you point us to that part of the documentation, we will make sure it gets corrected.

from here:

Screen Shot 2019-08-12 at 9.48.41 AM.png2702×938 240 KB

As you can see , the line with LDAP, PKI*, Active Directory authentication in it is greyed out in the Basic and Open Source columns which means it is not available.

its hard to notice that . Thanks anyways.

I'll leave a comment with your feedback with the team that is responsible for our website, thanks for your feedback !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.