Shield ldap realm config on ES cluster with tribe nodes

Few questions,

  1. Do we need to specify the same ldap realm setting on every tribe nodes? Or only the data/master nodes?
    If yes, does it mean the tribe nodes will contact the LDAP server directly for authentication?

  2. If we have two separate ES cluster with different LDAP realm, and we need all LDAP users to the tribe to connect to them, does it mean we have to define both of the ldap realm setting on each ES nodes?

Thanks!