Hello ,
I want to know how to connect Elasticsearch to an external LDAP, and if I am in a cluster that contains multiple nodes, do I need to configure LDAP on all Elasticsearch nodes or just one of them (and wich one : master , coordi , data node ...)? The same question applies to opening streams please.
Thank you
Hi,
You need to configure the xpack.security.authc.* settings in elasticsearch.yml and kibana.yml on all nodes.
Have a look at:
ES would look something like:
xpack:
security:
authc:
realms:
ldap.realm1:
order: 1
url: ldaps://yourserver:636
bind_dn: <your_dn>
bind_password: <password>
....
LDAP is basic auth, so use the basic realm in kibana as provider.
It doesn't need to be configured in all nodes, just the ones where your clients, including kibana, will make requests.
For example, if your Kibana and all your clients only make requests to your coordinating nodes, then you can configure the authentication just on those nodes.
This is an example of a configuration that includes the native realm and the active directory realm:
xpack:
security:
authc:
realms:
native:
native1:
order: 0
active_directory:
my_ad:
order: 1
domain_name: "company.domain"
follow_referrals: false
url: [ "ldaps://ladp-server-01.company.domain:636", "ldaps://ldap-server-02.company.domain:636" ]
ssl:
certificate_authorities: [ "/etc/elasticsearch/certs/ldap/ladp-server-01.pem", "/etc/elasticsearch/certs/ldap/ldap-server-02.pem" ]
load_balance:
type: "round_robin"
Also, you didn't say if you have a license or not, but to use LDAP you need a paid license.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.