If you have control over the header name that is passed to elasticsearch, you can use the run as feature of Shield. For this to work, DgLux would need to send authentication credentials for a user that had the ability to run as the actual user in Shield. In the configuration for Shield, you would define an LDAP realm (with a bind_dn) that will be used to look up the user in the run as header and could authorize the user. Note: you could use anonymous access for DgLux but that would not be very secure unless you can guarantee that DgLux is the only thing communicating directly with elasticsearch.
If that will not work for you, I suggest you take a look at custom realms and the example for 2.1.0. Your custom realm would look for the header passed from DgLux and convert that into a specific authentication token that your custom realm understands. The token would then get passed into the authenticate method by Shield and this is where you would implement code to lookup the user in LDAP and map them to the appropriate Shield role names. In this scenario, you would also want a way to authenticate the requests coming from DgLux otherwise this will not be secure since anyone can pass in the header and get into elasticsearch.