Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://www.alibabacloud.com/help/en/es/use-cases/use-x-pack-to-configure-ldap-authentication below:

Configure LDAP authentication to allow LDAP users to access an Alibaba Cloud Elasticsearch cluster - Elasticsearch

This topic describes how to configure Lightweight Directory Access Protocol (LDAP) authentication for an Alibaba Cloud Elasticsearch cluster to allow LDAP users with the required roles to access the cluster.

The following operations are performed:

• Create an Alibaba Cloud Elasticsearch cluster. In this example, an Elasticsearch V6.7 cluster is used.

  For more information, see Create an Alibaba Cloud Elasticsearch cluster.

• Activate the LDAP service in the virtual private cloud (VPC) where the Elasticsearch cluster resides, and prepare user data. In this topic, OpenLDAP 2.4.44 is used.

  For more information, see Official LDAP documentation. When you configure LDAP authentication, you cannot configure the ou property. You can configure only the cn and Group properties.

The network architecture of Alibaba Cloud Elasticsearch in different regions has been adjusted since October 2020. The adjustment has the following impacts on clusters:

• If you want to connect a cluster that is deployed in the original network architecture to the Internet, you can use an ECS instance for which SNAT is enabled or use an NGINX proxy to forward requests.

• In the new network architecture, the LDAP authentication feature is limited. You can use the PrivateLink service to establish private connections between VPCs. For more information, see Configure a private connection for an Elasticsearch cluster. If you want to connect a cluster that is deployed in the new network architecture to the Internet, configure an NGINX proxy to forward requests.

• In the original network architecture, only single-zone Elasticsearch clusters support LDAP authentication.

1. Step 1: (Optional) Obtain the domain name of an endpoint

2. Step 2: Configure LDAP authentication

3. Step 3: Map the user to a role

4. Step 4: Verify the result

Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. These Elasticsearch clusters reside in the VPC of the Elasticsearch service account. If your Elasticsearch cluster is deployed in the new network architecture, you need to use the PrivateLink service to establish a private connection between the VPC and your VPC. Then, obtain the domain name of the related endpoint for future use. To obtain the domain name of an endpoint, perform the following steps:

1. Create a Classic Load Balancer (CLB) instance that supports the PrivateLink service and resides in the same VPC as the created Elasticsearch cluster.

   For more information, see Step 1: Create and configure a CLB instance.

2. Configure the CLB instance.

3. Create an endpoint service.

   For more information, see Step 2: Create an endpoint service.

4. Configure a private connection to the Elasticsearch cluster.

   For more information, see Step 3: Create a private connection for the Elasticsearch cluster.

5. Obtain the domain name of the endpoint that is used to access the endpoint service.

You can use X-Pack to configure LDAP authentication in the following modes:

• User search mode

• Distinguished name (DN) template-based mode

The user search mode is commonly used. In user search mode, a user who has permissions to query the LDAP directory is used to search for the DN of a user who you want to authenticate. The search is performed based on the username and LDAP attribute that are provided by X-Pack. After the DN of the user is found, X-Pack attempts to bind the user to the LDAP directory by using the DN and the related password to authenticate the user. For more information, see Configure an LDAP realm.

The following sample code provides the mapping configurations that are required by LDAP to manage a DN. You must add the configurations to the YML file of the Elasticsearch cluster. For more information, see Configure the YML file.

• Configurations for Elasticsearch V6.7 clusters

  xpack.security.authc.realms.ldap1.type: ldap
  xpack.security.authc.realms.ldap1.order: 2
  xpack.security.authc.realms.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389"
  xpack.security.authc.realms.ldap1.bind_dn: "admin@yaobili.com"
  xpack.security.authc.realms.ldap1.bind_password: "yourPassword"
  xpack.security.authc.realms.ldap1.user_search.base_dn: "dc=yaobili,dc=com"
  xpack.security.authc.realms.ldap1.user_search.filter: "(cn={0})"
  xpack.security.authc.realms.ldap1.group_search.base_dn: "dc=yaobili,dc=com"
  xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false

• Configurations for Elasticsearch clusters of V7.10 or later

  xpack.security.authc.realms.ldap.ldap1.order: 2
  xpack.security.authc.realms.ldap.ldap1.url: "ldap://ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389"
  xpack.security.authc.realms.ldap.ldap1.bind_dn: "admin@yaobili.com"
  xpack.security.authc.realms.ldap.ldap1.bind_password: "yourPassword"
  xpack.security.authc.realms.ldap.ldap1.user_search.base_dn: "dc=yaobili,dc=com"
  xpack.security.authc.realms.ldap.ldap1.user_search.filter: "(cn={0})"
  xpack.security.authc.realms.ldap.ldap1.group_search.base_dn: "dc=yaobili,dc=com"
  xpack.security.authc.realms.ldap.ldap1.unmapped_groups_as_roles: false

Parameter

Description

type

The type of the realm. You must set this parameter to ldap.

order

The priority of the realm. A small value indicates a high priority. If you want to specify multiple realms, we recommend that you configure this parameter. The realms are accessed in descending order of their priorities.

For Elasticsearch V8.X clusters, the value of this parameter must be unique among different requests. We recommend that you set this parameter to 2.

url

The URL and port number that are used to connect to the LDAP server. ldap indicates that a common connection and port 389 are used. ldaps indicates that an SSL-encrypted connection and port 636 are used.

If your Elasticsearch cluster is deployed in the new network architecture, you must specify a value for this parameter in the format of Domain name of the endpoint:Port number. You can obtain the domain name of the endpoint based on the instructions in Step 1: (Optional) Obtain the domain name of an endpoint. In this example, ep-bp1dhpobznlgjhj9****-cn-hangzhou-i.epsrv-bp1q8tcj2jjt5dwr****.cn-hangzhou.privatelink.aliyuncs.com:389 is used.

bind_dn

The DN of the user whom you want to search for and bind to the LDAP directory. This parameter is valid only in user search mode.

bind_password

The password of the user.

user_search.base_dn

The container DN that is used to search for the user.

group_search.base_dn

The container DN that is used to search for the group to which the user belongs. If you do not configure this parameter, Elasticsearch searches for the attribute that is specified by the user_group_attribute parameter to determine the group to which the user belongs.

unmapped_groups_as_roles

The default value of this parameter is false. If you set this parameter to true, the names of unmapped LDAP groups are used as role names.

For more information about the parameters, see Security settings in Elasticsearch.

1. Log on to the Kibana console of your Elasticsearch cluster and go to the homepage of the Kibana console as prompted.

   For more information about how to log on to the Kibana console, see Log on to the Kibana console.

   Note

   In this example, an Elasticsearch V6.7.0 cluster is used. Operations on clusters of other versions may differ. The actual operations in the console prevail.

2. In the left-side navigation pane of the page that appears, click Dev Tools.

3. On the Console tab of the page that appears, run the following command to map the zhang* user to the administrator role:

   V8.X

   POST _security/role_mapping/ldap_super_user1?pretty
   {
     "roles": [ "superuser" ],
     "enabled": true,
     "rules": {
       "any": [
         {
           "field": {
             "username": "zhang*"
           }
         }
       ]
     }
   }

   Other versions

   POST _xpack/security/role_mapping/ldap_super_user1?pretty
   {
     "roles": [ "superuser" ],
     "enabled": true,
     "rules": {
       "any": [
         {
           "field": {
             "username": "zhang*"
           }
         }
       ]
     }
   }

   For more information, see Elastic versions.

1. Log on to the Kibana console of the Elasticsearch cluster by using the zhang* user.

2. In the left-side navigation pane of the page that appears, click Dev Tools.

3. On the Console tab of the page that appears, run the following command to check whether the zhang* user has permissions to modify the configuration of the cluster:

   PUT _cluster/settings
   {
     "persistent": {
       "action.auto_create_index": true
     }
   }

   If the result shown in the following figure is returned, the user has permissions to modify the configuration of the cluster.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4