LDAP authentication on local node and processing on cloud node

Our LDAP server is restricted to requests from the intranet. But we would like to run ElasticSearch with LDAP on cloud. Is it a good strategy to run a local node of ElasticSearch locally within the intranet( only intended for authentication) and then a host a bigger instance of Elastic on cloud for the real data processing? If it's not a good strategy then what's a recommended strategy for this requirement?

No, that is not a good strategy.
Having a cluster that spans data centres like that is strongly discouraged.

When you say "cloud" do you mean the hosted ES service on Elastic Cloud, or running your own nodes on cloud hosted infrastructure?

Thanks for the hint. Do you mean its not a good strategy in terms of performance and reliability or in terms of security? In terms of performance is it possible to reduce the data processing in the local node as much as possible and does it then become a better strategy?
With "cloud" I meant we will be running our on nodes on cloud based virtual machines. I don't mean to use a hosted ES service.

Also do you have a recommedation about how to handle this requirement under these circumstances( The auth service like LDAP being available only in the local network)

You should never try and form an ES cluster over a WAN. The node-to-node communication relies on low latency, high bandwidth networks.

Your options are:

  1. Use Cross Cluster Search. Have a small on-prem cluster, and a large cloud cluster and use the on-prem cluster to search the cloud one.
  2. Use SAML or OpenID Connect to support login to your cloud Kibana instances. Those protocols are designed to be able to support login without needing direct network connection between the Service (Kibana) and the Authentication Provider.
  3. Use some sort of LDAP proxy into your internal network.
  4. Just accept that you can't use LDAP for this, and use the builtin native realm in ES.
1 Like

Because I am not too knowledgeable about ES, to me option 3 sounds the simplest. I think I will try that and also read up on the other options. Many thanks once again ! It's really useful information.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.