This topic describes how to configure Lightweight Directory Access Protocol (LDAP) authentication for an Alibaba Cloud Elasticsearch cluster to allow LDAP users with the required roles to access the cluster.
Prerequisites
The following operations are performed:
Create an Alibaba Cloud Elasticsearch cluster. In this example, an Elasticsearch V6.7 cluster is used.
For more information, see Create an Alibaba Cloud Elasticsearch cluster.
Activate the LDAP service in the virtual private cloud (VPC) where the Elasticsearch cluster resides, and prepare user data. In this topic, OpenLDAP 2.4.44 is used.
For more information, see Official LDAP documentation. When you configure LDAP authentication, you cannot configure the ou property. You can configure only the cn and Group properties.
Precautions
The network architecture of Alibaba Cloud Elasticsearch in different regions has been adjusted since October 2020. The adjustment has the following impacts on clusters:
If you want to connect a cluster that is deployed in the original network architecture to the Internet, you can use an ECS instance for which SNAT is enabled or use an NGINX proxy to forward requests.
In the new network architecture, the LDAP authentication feature is limited. You can use the PrivateLink service to establish private connections between VPCs. For more information, see Configure a private connection for an Elasticsearch cluster. If you want to connect a cluster that is deployed in the new network architecture to the Internet, configure an NGINX proxy to forward requests.
In the original network architecture, only single-zone Elasticsearch clusters support LDAP authentication.
For more information about the network architecture, see [Notice] Network architecture adjustment.
Procedure
Step 1: (Optional) Obtain the domain name of an endpoint
Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. These Elasticsearch clusters reside in the VPC of the Elasticsearch service account. If your Elasticsearch cluster is deployed in the new network architecture, you need to use the PrivateLink service to establish a private connection between the VPC and your VPC. Then, obtain the domain name of the related endpoint for future use. To obtain the domain name of an endpoint, perform the following steps:
- Create a Classic Load Balancer (CLB) instance that supports the PrivateLink service and resides in the same VPC as the created Elasticsearch cluster.
For more information, see Step 1: Create and configure a CLB instance.
Configure the CLB instance.
During the configuration, you must specify the LDAP server as the backend server and port 389 as the listening port.
For more information, see Configure a private connection for an Elasticsearch cluster.
- Create an endpoint service.
For more information, see Step 2: Create an endpoint service.
- Configure a private connection to the Elasticsearch cluster.
For more information, see Step 3: Create a private connection for the Elasticsearch cluster.
- Obtain the domain name of the endpoint that is used to access the endpoint service.
For more information, see Configure a private connection for an Elasticsearch cluster.
Note Record the obtained domain name, which will be used in subsequent configurations.
Step 2: Configure LDAP authentication
You can use X-Pack to configure LDAP authentication in the following modes:
User search mode
Distinguished name (DN) template-based mode
The user search mode is commonly used. In user search mode, a user who has permissions to query the LDAP directory is used to search for the DN of a user who you want to authenticate. The search is performed based on the username and LDAP attribute that are provided by X-Pack. After the DN of the user is found, X-Pack attempts to bind the user to the LDAP directory by using the DN and the related password to authenticate the user. For more information, see Configure an LDAP realm.
The following sample code provides the mapping configurations that are required by LDAP to manage a DN. You must add the configurations to the YML file of the Elasticsearch cluster. For more information, see Configure the YML file.
Configurations for Elasticsearch V6.7 clusters
xpack.security.authc.realms.ldap1.type: ldap xpack.security.authc.realms.ldap1.order: 2 xpack.security.authc.realms.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389" xpack.security.authc.realms.ldap1.bind_dn: "admin@yaobili.com" xpack.security.authc.realms.ldap1.bind_password: "yourPassword" xpack.security.authc.realms.ldap1.user_search.base_dn: "dc=yaobili,dc=com" xpack.security.authc.realms.ldap1.user_search.filter: "(cn={0})" xpack.security.authc.realms.ldap1.group_search.base_dn: "dc=yaobili,dc=com" xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false
Configurations for Elasticsearch clusters of V7.10 or later
xpack.security.authc.realms.ldap.ldap1.order: 2 xpack.security.authc.realms.ldap.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389" xpack.security.authc.realms.ldap.ldap1.bind_dn: "admin@yaobili.com" xpack.security.authc.realms.ldap.ldap1.bind_password: "yourPassword" xpack.security.authc.realms.ldap.ldap1.user_search.base_dn: "dc=yaobili,dc=com" xpack.security.authc.realms.ldap.ldap1.user_search.filter: "(cn={0})" xpack.security.authc.realms.ldap.ldap1.group_search.base_dn: "dc=yaobili,dc=com" xpack.security.authc.realms.ldap.ldap1.unmapped_groups_as_roles: false
Parameter | Description |
type | The type of the realm. You must set this parameter to ldap. |
order | The priority of the realm. A small value indicates a high priority. If you want to specify multiple realms, we recommend that you configure this parameter. The realms are accessed in descending order of their priorities. Note For Elasticsearch V8.X clusters, the value of this parameter must be unique among different requests. We recommend that you set this parameter to 2. |
url | The URL and port number that are used to connect to the LDAP server. ldap indicates that a common connection and port 389 are used. ldaps indicates that an SSL-encrypted connection and port 636 are used. Important If your Elasticsearch cluster is deployed in the new network architecture, you must specify a value for this parameter in the format of Domain name of the endpoint:Port number. You can obtain the domain name of the endpoint based on the instructions in Step 1: (Optional) Obtain the domain name of an endpoint. In this example, |
bind_dn | The DN of the user whom you want to search for and bind to the LDAP directory. This parameter is valid only in user search mode. |
bind_password | The password of the user. |
user_search.base_dn | The container DN that is used to search for the user. |
group_search.base_dn | The container DN that is used to search for the group to which the user belongs. If you do not configure this parameter, Elasticsearch searches for the attribute that is specified by the user_group_attribute parameter to determine the group to which the user belongs. |
unmapped_groups_as_roles | The default value of this parameter is false. If you set this parameter to true, the names of unmapped LDAP groups are used as role names. |
For more information about the parameters, see Security settings in Elasticsearch.
Step 3: Map the user to a role
Log on to the Kibana console of your Elasticsearch cluster and go to the homepage of the Kibana console as prompted.
For more information about how to log on to the Kibana console, see Log on to the Kibana console.
NoteIn this example, an Elasticsearch V6.7.0 cluster is used. Operations on clusters of other versions may differ. The actual operations in the console prevail.
In the left-side navigation pane of the page that appears, click Dev Tools.
On the Console tab of the page that appears, run the following command to map the zhang* user to the administrator role:
V8.X
POST _security/role_mapping/ldap_super_user1?pretty { "roles": [ "superuser" ], "enabled": true, "rules": { "any": [ { "field": { "username": "zhang*" } } ] } }
Other versions
POST _xpack/security/role_mapping/ldap_super_user1?pretty { "roles": [ "superuser" ], "enabled": true, "rules": { "any": [ { "field": { "username": "zhang*" } } ] } }
For more information, see Elastic versions.
Step 4: Verify the result
Log on to the Kibana console of the Elasticsearch cluster by using the zhang* user.
In the left-side navigation pane of the page that appears, click Dev Tools.
On the Console tab of the page that appears, run the following command to check whether the zhang* user has permissions to modify the configuration of the cluster:
PUT _cluster/settings { "persistent": { "action.auto_create_index": true } }
If the result shown in the following figure is returned, the user has permissions to modify the configuration of the cluster.