Is it possible to connect to different ldap realm?

Elastic Stack Elasticsearch
1

Hey there,
Can I map 2, or more, different ldap realms? i.e. from 2 different domains?
So user 1 can access with user@domain1.com and user 2 can access with user@domain2.com
I did not see any limitations around this issue. But, the documentation does not say explicitly that it is allowed.
The configuration will be something like

xpack.security.authc.realms:

    ldap.realm1: 
        order: 0
        ...

    ldap.realm2:
        order: 1
        ...

    ldap.realm3:
        order: 2

Thank you!

2

Hi,
Yes thats possible.
In the Documentation about realm-chains is also a example for a config with 2 ldap realm.

Regards,
Simon

1 Like
3

Thanks a lot!

4

A few things to keep in mind:

  • Realms are traversed in order so if a user that is in ldap realm attempts to authenticate, we will try realm 1 first and when that fails we will try realm 2 and when that fails we will try realm 3.
  • The above happens only the first time, we subsequently cache both the authentication and the realm that last authenticated that user and will attempt to use that first so next authentications will be fast(er).
  • The above might or might not be problematic for you depending on how many different realms you want to add. 2,3 are fine, 30 might not be :slight_smile:
5

Thanks for the info @ikakavas
Do you have any guidance around this topic? Best practices? Performance testing you have done?
Thanks

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.