Roles and role mappings are organized file-based. Authentication/ Authorization works as expected.
When a user loggs on into Kibana and switches Menu Tabs within Kibana a lot of LDAP auth is triggered at the elasticsearch backend. I would expect that this information is chached within interval of 20m as configured and not queried against LDAP Server again and again. For every user I see a log full of (Log anonymized [...]):
Dec 05 09:54:02 ...: [2017-12-05T09:54:02,053][DEBUG][o.e.x.s.a.l.LdapRealm ] [...] realm [...] authenticated user [...], with roles [[...]]
Dec 05 09:54:02 ...: [2017-12-05T09:54:02,062][DEBUG][o.e.x.s.a.e.ReservedRealm] [...] user [...] not found in cache for realm [reserved], proceeding with normal authentication
Did we miss something to proper configure the LDAP User Cache?
Those log messages don't indicate that there are queries being performed against the LDAP Server.
Do you have some other reason to think that the cache isn't working, or is your conclusion based purely on these logs?
If the cache wasn't working, you would see messages saying
[LdapRealm] ... user [...] not found in cache for realm [ldap], proceeding with normal authentication
The realm [...] authenticated user message indicate which realm handled the authentication for a particular request. Since the cache is per-realm, you will see those messages regardless of whether the user was cached or not.
If the cache wasn't working, you would see messages saying
[LdapRealm] ... user [...] not found in cache for realm [ldap], proceeding with normal authentication
The realm [...] authenticated user message indicate which realm handled the authentication for a particular request. Since the cache is per-realm, you will see those messages regardless of whether the user was cached or not.
[/quote]
Thank you. That answered my question. I did not expect the query against every realm (the "reserved").
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.