Can we define multiple LDAP realms in elasticsearch.yml ? If so how does it work ?
Yes multiple LDAP realms can be configured simultaneously.
Realms live within a realm chain. It is essentially a prioritized list of configured realms (typically of various types). The order of the list determines the order in which the realms will be consulted. During the authentication process, X-Pack security will consult and try to authenticate the request one realm at a time. Once one of the realms successfully authenticates the request, the authentication is considered to be successful and the authenticated user will be associated with the request (which will then proceed to the authorization phase). If a realm cannot authenticate the request, the next in line realm in the chain will be consulted. If all realms in the chain could not authenticate the request, the authentication is then considered to be unsuccessful and an authentication error will be returned (as HTTP status code 401).
Thanks for the explanation . Another thing i wanted to ask is , is there any way to map index with realms ? I mean for a certain index can i point to a particular realm ? and every time we call the search API , do we need to send the credentials or is there a single sign on kind of thing for LDAP?
is there any way to map index with realms ?
Users are bound to realms. There is no relation between indices and realms. Users gain privileges over indices by the virtue of roles.
every time we call the search API , do we need to send the credentials or is there a single sign on kind of thing for LDAP?
Every request should bear the credentials. There is no concept of an authenticated session. However this does not mean that the LDAP server is checked for each request, there is some caching involved on the ES side.
@Albert_Zaharovits Thanks for your answers
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.