Trouble with Active D authentication settings

stack-security
(Patrick) #1

Trying to set up ver 7 and some of the new settings in the yml are confusing.

xpack.security.authc.realms:
native.realm1:
order: 0
enabled: true

active_directory.realm2:
    dhp_ad:
      order: 1
      enabled: true
      domain_name: company.com
      url:
        - ldaps://company.com:636
        - ldaps://company.com:636
        - ldaps://company.com:636
        - ldaps://company.com:636
        - ldaps://company.com:636
        - ldaps://company.com:636
      load_balance:
        type: round_robin
      bind_dn: CN=company DC
      secure_bind_password: password
      ssl:
        certificate_authorities: [ "config/certs/secure.pem" ]

Does this look correct? I was getting some different info from the upgrade assistant and the 7 doc.

(Ioannis Kakavas) #2

Hi,

There are a couple of things that are wrong here:

  •  active_directory.realm2:
      dhp_ad:
    

    You have added two name identifiers for the realm, you need to keep either realm2 or dhp_ad but not both.

  • secure_bind_password is a secure setting and as such needs to be added to the elasticsearch.keystore

  • enabled: true is not necessary, this is the default value.

You'd get the same information if you attempted to start elasticserach with the config above, as we do validate the configuration at startup.

Can you point out which part of the documentation or the settings were confusing to you? Maybe we can do a better job at documenting those.

(Patrick) #3

Thank you!! that was good info. To be clear.

I need either one of these:

active_directory.realm2:

or

active_directory.dhp_ad:

or ??

active_directory:
dhp_ad:

(Ioannis Kakavas) #4

The syntax is xpack.security.authc.realms.<realm_type>.<realm_name>: . The realm type is active_directory since you want to use AD, and you can name your realm whatever you want, realm2, or dhp_ad , it doesn't matter, you need to pick 1 name though.

active_directory.dhp_ad:

is exactly the same as

active_directory:
  dhp_ad:
1 Like
(Patrick) #5

thank you!!

1 Like
(system) closed #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.