Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Accessing an Elasticsearch Cluster Using LDAP

Updated on 2025-01-23 GMT+08:00

The Light Directory Access Protocol (LDAP) is a lightweight version of the directory access protocol based on the X.500 standard. An LDAP service provides user authentication and authorization. Using the Security plugin for Open Distro for Elasticsearch, CSS adds Active Directory as an authentication backend for clusters, connecting them seamlessly to the LDAP service. This topic describes the steps needed to connect a CSS cluster to an LDAP service.

It also describes how to enable LDAP authentication for a CSS cluster to allow access by LDAP users of specific roles.

Constraints

Only Elasticsearch 7.10.2 security-mode clusters can be accessed through LDAP.

Preparations

  • A security-mode Elasticsearch cluster has been created in CSS and its status is available.
  • The LDAP service that is in the same VPC as the Elasticsearch cluster and the necessary user data have been prepared. For details, see the OpenLDAP document: A Quick-Start Guide.

Accessing a Cluster

  1. Install an LDAP service on an ECS. If the LDAP service and user data have already been prepared, skip this step.

    1. Create an ECS. The ECS must run a Windows OS and must be in the same VPC and security group as the security-mode Elasticsearch cluster of CSS. The Windows Server running on the ECS provides the built-in Active Directory service that supports the LDAP protocol.

      For how to create an ECS, see .

    2. Log in to the ECS, and enable the Active Directory service. Create a domain, administrator, users, and user groups.

  2. Modify the parameter settings of the security-mode Elasticsearch cluster on CSS. Configure a static parameter in elasticsearch.yml to connect the cluster to the LDAP service.

    1. Log in to the CSS management console.
    2. In the navigation pane on the left, choose Clusters > Elasticsearch to go to the cluster list.
    3. Choose Clusters in the navigation pane. On the Clusters page, click the name of the target cluster. The cluster information page is displayed.
    4. In the navigation pane on the left, choose Parameter Configurations. Click Edit, and add the following to the Custom module:
      • Parameter: opendistro_security.unsupported.restapi.allow_securityconfig_modification
      • Value: true
    5. Click Submit above. In the displayed Submit Configuration dialog box, select the box that says "I understand that the modification will take effect after the cluster is restarted." and click Yes.

      If Status is Succeeded in the parameter change list, the change has been saved. Up to 20 change records can be displayed.

    6. Return to the cluster list and choose More > Restart in the Operation column to restart the cluster and make the change take effect.
      • Until the cluster is restarted, Configuration not updated will be displayed in the Task Status column on the Clusters page.
      • If the cluster is restarted after the change, and Task Status still shows Configuration error, the parameter configuration file has failed to be modified.

  3. Configure a custom route for the cluster on the CSS console to connect the cluster to the LDAP service.

    NOTICE:

    The permission to configure custom routes for clusters is controlled using a whitelist. If you need this permission, submit a service ticket to apply for it.

    1. Log in to the CSS management console.
    2. In the navigation pane on the left, choose Clusters, and click a cluster type to go to the cluster list (Elasticsearch in this example).
    3. Choose Clusters in the navigation pane. On the Clusters page, click the name of the target cluster. The cluster information page is displayed.
    4. On the Cluster Information page, locate Cluster Routing, and click Modify.
      • IP Address: Enter the IP address of the LDAP server. If the LDAP service on the ECS is used, enter the IP address of the ECS. Subnet Mask: Enter the subnet mask of the LDAP server. If the LDAP service on the ECS is used, enter the subnet mask of the ECS.
      • Modification Type: Select Add.
    5. Click OK.

  4. Configure LDAP authentication for a security-mode Elasticsearch cluster.

    1. Log in to the CSS management console.
    2. In the navigation pane on the left, choose Clusters > Elasticsearch to go to the cluster list.
    3. In the cluster list, locate the target cluster, and click Kibana in the Operation column.
    4. On the Kibana console, click Dev Tools in the navigation tree on the left.
    5. Run the following commands to configure LDAP authentication.
      NOTE:
      • Concepts used in an X.500 directory access protocol (including LDAP):
        • CN = Common Name
        • OU = Organizational Unit
        • DC = Domain Component
        • DN = Distinguished Name

        The CN, OU, and DC must be provided in the correct order. Otherwise, authentication will fail.

      • The configuration file consists of two parts: authc and authz.
        • authc (authentication): verifies whether a user is truly who they claim they are (password verification).
        • authz (authorization): verifies what the current user has access to.
      PUT _opendistro/_security/api/securityconfig/config
      {
          "dynamic": {
              "authc": {
                  "basic_internal_auth_domain": {
                      "description": "Authenticate via HTTP Basic against internal users database",
                      "http_enabled": true,
                      "transport_enabled": true,
                      "order": 1,
                      "http_authenticator": {
                          "type": "basic",
                          "challenge": true
                      },
                      "authentication_backend": {
                          "type": "intern"
                      }
                  },
                  "ldap": {
                      "description": "Authenticate via LDAP or Active Directory",
                      "http_enabled": true,
                      "transport_enabled": true,
                      "order": 2,
                      "http_authenticator": {
                          "type": "basic",
                          "challenge": false
                      },
                      "authentication_backend": {
                          "type": "ldap",
                          "config": {
                              "enable_ssl": false,
                              "enable_start_tls": false,
                              "enable_ssl_client_auth": false,
                              "verify_hostnames": true,
                              "hosts": ["10.0.XXX.XXX:389"],
                              "bind_dn": "CN=adminAD,DC=test,DC=ldap,DC=com",
                              "password": "<password>",
                              "userbase": "OU=ITDepartment,DC=test,DC=ldap,DC=com",
                              "usersearch": "(sAMAccountName={0})",
                              "username_attribute": "uid"
                          }
                      }
                  }
              },
              "authz": {
                  "roles_from_myldap": {
                      "description": "Authorize via LDAP or Active Directory",
                      "http_enabled": true,
                      "transport_enabled": true,
                      "authorization_backend": {
                          "type": "ldap",
                          "config": {
                              "enable_ssl": false,
                              "enable_start_tls": false,
                              "enable_ssl_client_auth": false,
                              "verify_hostnames": true,
                              "hosts": ["10.0.XXX.XXX:389"],
                              "bind_dn": "CN=adminAD,DC=test,DC=ldap,DC=com",
                              "password": "<password>",
                              "rolebase": "OU=groups,DC=test,DC=ldap,DC=com",
                              "rolesearch": "(member={0})",
                              "userroleattribute": null,
                              "userrolename": "disabled",
                              "rolename": "CN",
                              "resolve_nested_roles": true,
                              "userbase": "OU=ITDepartment,DC=test,DC=ldap,DC=com",
                              "usersearch": "(uid={0})"
                          }
                      }
                  }
              }
          }
      }

      The parameters in Table 1 need to be modified based on the actual environment.

      Table 1 Parameter description

      Parameter

      Description

      hosts

      Address of the LDAP service. The port number is 389. If the LDAP service on the ECS is used, enter the IP address of the ECS.

      bind_dn

      It is similar to the LDAP user name (CN - OU - DC) and is used to access the LDAP server. Select a user name from the user data of the LDAP service.

      password

      Password of the LDAP user configured using bind_dn.

      userbase

      After the LDAP service is connected, the DN that the user belongs to is obtained. In this example, all user information in the ITDepartment directory is synchronized.

      rolebase

      The collection of permissions that can be configured for the userbase user group of the LDAP service.

  5. Configure the mapping between LDAP user permissions and Elasticsearch permissions in the Elasticsearch security-mode cluster to enable fine-grained access control.

    The rolebase permissions group of the LDAP server must be mapped to the roles in the Elasticsearch cluster. Figure 1 illustrates the mapping. For details about the configuration, see Creating Users for an Elasticsearch Cluster and Granting Cluster Access.

    Figure 1 Permissions mapping
    1. Log in to the CSS management console.
    2. In the navigation pane on the left, choose Clusters > Elasticsearch to go to the cluster list.
    3. In the cluster list, locate the target cluster, and click Kibana in the Operation column. Log in to the Kibana console as user admin.
    4. Choose Security in the navigation tree on the left. The Security page is displayed.
    5. Click Roles to go to the Open Distro Security Roles page. Click Create Role, set Name, Cluster Permissions, Index Permissions, and Tenant Permissions. Then click Save Role Definition to save the role settings. The parameters are as follows:
      • Name (name of the role)
      • Cluster permissions
      • Index permissions
      • Tenant permissions
    6. Click the newly created role, select Mapped users, enter a permissions group of the LDAP service in Backend roles, and click Map.
    7. Check the configuration result.
      Figure 2 Permissions mapping
    8. Repeat 5.e to 5.g to map other permissions groups.

  6. Verify the result.

    1. Log in to the CSS management console.
    2. In the navigation pane on the left, choose Clusters > Elasticsearch to go to the cluster list.
    3. In the cluster list, locate the target cluster, and click Kibana in the Operation column. Use an LDAP user to log in to the Kibana console.
      • If the login is successful, the configuration is successful, and users can access the Elasticsearch cluster through LDAP. The specific permissions authorized are controlled by role permissions configured in Elasticsearch.
      • If the login fails, contact technical support.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback