ElasticSearch LDAP Authentication on the Active Directory - How to do it ?





Are you trying to configure ElasticSearch LDAP Authentication on the Active Directory? 

This guide will help you.


Active directory is the directory service database to store the organizational based data,policy,authentication etc whereas ldap is the protocol used to talk to the directory service database that is ad or adam. LDAP sits on top of the TCP/IP stack and controls internet directory access.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Windows related queries.

In this context, we shall look into how to authenticate ElasticSearch users using the Active Directory.


More information about Microsoft Windows and LDAP protocol ?

Here, you will learn how to authenticate ElasticSearch users using the Active Directory from Microsoft Windows and the LDAP protocol.


To begin, you need to have the following:

i. Ubuntu 18

ii. Ubuntu 19

iii. ElasticSearch 7.6.2

iv. Windows 2012 R2


In our example, The ElastiSearch server IP address is 192.168.100.7, and the domain controller IP address is 192.168.100.10.


1. Windows – Domain Controller Firewall

IP – 192.168.100.10

Operacional System – WINDOWS 2012 R2

Hostname – TECH-DC01


i. First, we need to create a Firewall rule on the Windows domain controller.

ii. This firewall rule will allow the ElasticSearch server to query the Active directory.

iii. On the domain controller, open the application named Windows Firewall with Advanced Security.

iv. Here, we create a new Inbound firewall rule.

v. Select the PORT option.

vi. Then select the TCP option.

vii. Select the Specific local ports option.

viii. Then enter the TCP port 389.

ix. After that, we select the Allow the connection option.

x. Subsequently, check the DOMAIN option.

xi. Then check the PRIVATE option.

xii. Similarly, check the PUBLIC option.

xiii.  Enter a description of the firewall rule.

We have created the required firewall rule.

This rule will allow the ElasticSearch server to query the Active Directory database.


2. Windows – Domain Account Creation

i. Next, we need to create at least 2 accounts on the Active Directory database.

ii. The ADMIN account will be used to login to the ElasticSearch server as Superuser.

iii. On the other hand, the BIND account will be to query the Active Directory database.

iv. On the domain controller, open Active Directory Users and Computers

v. Create a new account inside the Users container.

vi. Then create a new account, admin

vii. Set the password configured to the ADMIN user as 123qwe..

viii. This account will be to authenticate on the ElasticSearch.

ix. Then create a new account, bind

x. Set password configured to the BIND user as kamisama123..

This account will be used by Elasticsearch to query the Active Directory.

We have created the required Active Directory accounts.


3. Windows – Domain Group Creation

i. Finally, we need to create at least 2 groups on the Active Directory database.

ii. On the domain controller, we open the application, Active Directory Users, and Computers.

iii. First, create a new group inside the Users container.

iv. Then, create a new group, ElasticSearch-Superuser.

v. Members of this group will have administrative permission on the ElasticSearch.

vi. Subsequently, add the admin user as a member of the ElasticSearch-Superuser group.

vii. Then create a new group named: ElasticSearch-User.

viii. Members of this group will have user permission on the ElasticSearch server.

We have created the Active Directory group.

 

ElasticSearch – LDAP Authentication on Active Directory

To begin, install the required packages.

# apt-get update
# apt-get install curl jq mlocate

Verify the license installed on the ElasticSearch server.

# curl -X GET “http://192.168.100.7:9200/_xpack/license”

Here is the command output:

{
“license” : {
“status” : “active”,
“uid” : “9f3d50e7-4d3c-47ec-8011-6f6b1d1167c0”,
“type” : “basic”,
“issue_date” : “2020-04-22T00:46:28.831Z”,
“issue_date_in_millis” : 1587516388831,
“max_nodes” : 1000,
“issued_to” : “elasticsearch”,
“issuer” : “elasticsearch”,
“start_date_in_millis” : -1
}
}

For example, we have a basic license installed on the ElasticSearch server.


Enable the trial license on the ElasticSearch server.

# curl -X POST “http://192.168.100.7:9200/_license/start_trial?acknowledge=true&pretty”

Here is the command output:

{
“acknowledged”: true,
“trial_was_started”: true,
“type”: “trial”
}

Then we stop the ElasticSearch service.

# systemctl stop elasticsearch

Subsequently, edit the ElasticSearch configuration file, elasticsearch.yml

# vi /etc/elasticsearch/elasticsearch.yml

To do that, we add the following lines at the end of the file.

xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 0
url: “ldap://192.168.100.10:389”
bind_dn: “CN=bind,CN=Users,DC=TECH,DC=LOCAL”
user_search:
base_dn: “DC=TECH,DC=LOCAL”
filter: “(cn={0})”
group_search:
base_dn: “DC=TECH,DC=LOCAL”
files:
role_mapping: “role_mapping.yml”
unmapped_groups_as_roles: false

Here is the original file, before our configuration.

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0
cluster.initial_master_nodes: elasticsearch.local

Here is the file with our configuration.

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0
cluster.initial_master_nodes: elasticsearch.local
xpack.security.enabled: true
xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 0
url: “ldap://192.168.100.10:389”
bind_dn: “CN=bind,CN=Users,DC=TECH,DC=LOCAL”
user_search:
base_dn: “DC=TECH,DC=LOCAL”
filter: “(cn={0})”
group_search:
base_dn: “DC=TECH,DC=LOCAL”
files:
role_mapping: “role_mapping.yml”
unmapped_groups_as_roles: false

Then we locate the command named: ELASTICSEARCH-KEYSTORE

udpatedb
locate elasticsearch-keystore

Generally, the ElasticSearch server needs to store the credentials of the Active Directory user named BIND.

# /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.authc.realms.ldap.ldap1.secure_bind_password

Here, we enter the Active Directory password for the user named BIND.


Similarly, enter value for xpack.security.authc.realms.ldap.ldap1.secure_bind_password:


Then create a configuration file named: role_mapping.yml

# vi /etc/elasticsearch/role_mapping.yml

Here is the file content.

monitoring_user:

– “CN=elasticsearch-user,CN=Users,DC=TECH,DC=LOCAL”

superuser:

– “CN=elasticsearch-superuser,CN=Users,DC=TECH,DC=LOCAL”


On the other hand, set the correct file permissions.

# chown root.elasticsearch /etc/elasticsearch/role_mapping.yml
# chmod 660 /etc/elasticsearch/role_mapping.yml

Then, start the ElasticSearch service.

# systemctl start elasticsearch

Finally, test the communication with the ElasticSearch server using the Active Directory credentials

# curl –user admin:123qwe.. -X GET “http://192.168.100.7:9200?pretty”

Here is the command output:

{
“name” : “elasticsearch.local”,
“cluster_name” : “elasticsearch”,
“cluster_uuid” : “w5CUwsjPQPqW4Ne_04wuRg”,
“version” : {
“number” : “7.6.2”,
“build_flavor” : “default”,
“build_type” : “deb”,
“build_hash” : “ef48eb35cf30adf4db14086e8aabd07ef6fb113f”,
“build_date” : “2020-03-26T06:34:37.794943Z”,
“build_snapshot” : false,
“lucene_version” : “8.4.0”,
“minimum_wire_compatibility_version” : “6.8.0”,
“minimum_index_compatibility_version” : “6.0.0-beta1”
},
“tagline” : “You Know, for Search”
}

[Couldn't get through the LDAP Authentication configuration? We'd be happy to assist. ]


Conclusion

This article will guide you on how to authenticate #ElasticSearch users using the Active Directory from #Microsoft #Windows and the #LDAP protocol.

#Active #Directory (#AD) supports both Kerberos and LDAP – Microsoft AD is by far the most common directory services system in use today.

To Set up Active Directory Authentication using LDAP:

1. Enter the LDAP "Server" and "Port" attributes on the Server Overview tab of the LDAP Users page. 

2. Enter the proper base for the Active Directory in the "Base DN" attribute. 

3. Set the Search Scope. 

4. Enter the Username Attribute. 

5. Enter the Search Filter. 

6. Verify that the #settings are correct by clicking the Verify button.


Related Post


Keep In Touch

We hope to hear from you.

Accept File Type: jpg,jpeg,png,txt,pdf,doc,docx