Hi guys,
Quick question regarding Shield. We would like to use Shield to authenticate users using Active Directory. But the users are part of different domains. The current documentation shows that the domain_name is fixed in the configuration file.
Is there a Shild API that allows me to pass user/password/domain information to get authenticated? If not, how can I achive this for our setup. Please advice. Thanks!
Matt
Hi Matt,
We do not have an API that lets you pass in credentials with a domain right now. You can configure a realm for each AD domain that you have, but each one will be tried in order so it will add additional time to authenticate and some load to you active directory servers. Do you use nested groups? If not, you may be able to just use the regular LDAP realm and configure it to query the global catalog of your active directory and only need to configure that realm.
One of the enhancements that we've got on our roadmap in the ability to test based on the credentials if we should try to authenticate to a domain. For example, if you passed in DOMAINA\user then the AD realms would check to see if it was for DOMAINA before attempting authentication otherwise the realm would skip it and move on to the next one.
-Jay
Jay,
thanks for the quick response. I have just opened a dev_support ticket with you guys (#10935).
I don't think checking each user name again different domains would be an ideal solution. Best case is that you get authenticated in the 1st try and the worst case is your domain is on the very last line of the lookup (henice the login process might timeout).
Any ETA on this enhancement? Thanks!
Matt
I don't have a timeline on the enhancement at the moment, but maybe through the dev ticket we can figure out a solution.
-Jay
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.