Secure your clusters with Active Directory
These steps show how you can secure your Elasticsearch clusters and Kibana instances with the Lightweight Directory Access Protocol (LDAP) using an Active Directory.
To learn more about how securing Elasticsearch clusters with Active Directory works, check Active Directory user authentication.
The AD credentials are valid against the deployment, not the ECE platform. You can configure role-based access control for the platform separately.
You can configure the deployment to authenticate users by communicating with an Active Directory Domain Controller. To integrate with Active Directory, you need to configure an active_directory realm and map Active Directory groups to user roles in Elasticsearch.
Contrary to the ldap realm, the active_directory realm only supports a user search mode, but you can choose whether to use a bind user.
The Active Directory realm authenticates users using an LDAP bind request. By default, all LDAP operations run as the authenticated user if you don’t specify a bind_dn. Alternatively, you can choose to configure your realm with a bind user.
Add your user settings for the
active_directoryrealm as follows:xpack: security: authc: realms: active_directory: my_ad: order: 2 1 domain_name: ad.example.com 2 url: ldap://ad.example.com:389 3- The order in which the
active_directoryrealm is consulted during an authentication attempt. - The primary domain in Active Directory. Binding to Active Directory fails if the domain name is not mapped in DNS.
- The LDAP URL pointing to the Active Directory Domain Controller that should handle authentication. If your Domain Controller is configured to use LDAP over TLS and it uses a self-signed certificate or a certificate that is signed by your organization’s CA, refer to using self-signed certificates.
- The order in which the
You can choose to configure an Active Directory realm using a bind user. When you specify a bind_dn, this specific user is used to search for the Distinguished Name (DN) of the authenticating user based on the provided username and an LDAP attribute. If found, this user is authenticated by attempting to bind to the LDAP server using the found DN and the provided password.
Add your user settings for the
active_directoryrealm as follows:ImportantYou must apply the user settings to each deployment template.
xpack: security: authc: realms: active_directory: my_ad: order: 2 1 domain_name: ad.example.com 2 url: ldap://ad.example.com:389 3 bind_dn: es_svc_user@ad.example.com 4- The order in which the
active_directoryrealm is consulted during an authentication attempt. - The primary domain in Active Directory. Binding to Active Directory fails if the domain name is not mapped in DNS.
- The LDAP URL pointing to the Active Directory Domain Controller that should handle authentication. If your Domain Controller is configured to use LDAP over TLS and it uses a self-signed certificate or a certificate that is signed by your organization’s CA, refer to using self-signed certificates.
- The user to run as for all Active Directory search requests.
- The order in which the
Configure the password for the
bind_dnuser by adding the appropriatesecure_bind_passwordsetting to the Elasticsearch keystore.From the Deployments page, select your deployment.
Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
From your deployment menu, select Security.
Under the Elasticsearch keystore section, select Add settings.
On the Create setting window, select the secret Type to be
Secret String.Set the Setting name to
xpack.security.authc.realms.active_directory.<my_ad>.secure_bind_passwordand add the password for thebind_dnuser in thesecretfield.WarningAfter you configure
secure_bind_password, any attempt to restart the deployment will fail until you complete the rest of the configuration steps. If you wish to rollback the Active Directory realm related configuration effort, you need to remove thexpack.security.authc.realms.active_directory.my_ad.secure_bind_passwordthat was just added by clicking Remove by the setting name underExisting Keystores.
If your LDAP server uses a self-signed certificate or a certificate that is signed by your organization’s CA, you need to enable the deployment to trust this certificate. These steps are required only if TLS is enabled and the Active Directory controller is using self-signed certificates.
You’ll prepare a custom bundle that contains your certificate in the same way that you would on Elasticsearch Service. Custom bundles are extracted in the path /app/config/BUNDLE_DIRECTORY_STRUCTURE, where BUNDLE_DIRECTORY_STRUCTURE is the directory structure within the bundle ZIP file itself. For example:
$ tree .
.
└── adcert
└── ca.crt
In the following example, the keystore file would be extracted to /app/config/adcert/ca.crt, where ca.crt is the name of the certificate.
The following example uses a PEM encoded certificate. If your CA certificate is available as a JKS or PKCS#12 keystore, you can upload that file in a ZIP bundle and reference it in the user settings. For example, you can create a ZIP file from a truststore folder that contains a keystore named ca.p12 and reference that file:
xpack.security.authc.realms.active_directory.my_ad.ssl.truststore.path:
"/app/config/truststore/ca.p12"
If the keystore is also password protected (which isn’t typical for keystores that only contain CA certificates), you can also provide the password for the keystore by adding xpack.security.authc.realms.active_directory.my_ad.ssl.truststore.password: password in the user settings.
Create a ZIP file that contains your CA certificate file, such as
adcert.zip.Update your plan in the advanced configuration editor so that it uses the bundle you prepared in the previous step. You need to modify the
user_bundlesJSON attribute similar to the following example:NoteYou must specify the
user_bundlesattribute for each deployment template. You can alter7.*to8.*when needed.{ "cluster_name": "REPLACE_WITH_YOUR_CLUSTER_NAME", "plan": { ... "elasticsearch": { "version": "7.*", "user_bundles": [ { "name": "adcert", "url": "https://www.myurl.com/adcert.zip", 1 "elasticsearch_version": "7.*" 2 } ] } }- The URL that points to the
adcert.zipfile must be accessible to the cluster. Uploaded files are stored using Amazon’s highly-available S3 service. - This bundle is compatible with any Elasticsearch
7.*version.::::{tip}
Using a wildcard for the minor version ensures that the bundle is compatible with the specified Elasticsearch major version, and eliminates the need to upload a new bundle when upgrading to a new minor version.
::::
- The URL that points to the
Update your user settings for the
active_directoryrealm as follows:xpack: security: authc: realms: active_directory: my_ad: order: 2 domain_name: ad.example.com url: /app/config/adcert/ca.crt 1 bind_dn: es_svc_user@ad.example.com ssl: certificate_authorities: ["/app/config/cacerts/ca.crt"]- The
ldapsURL pointing to the Active Directory Domain Controller.
The
ssl.verification_modesetting (not shown) indicates the type of verification to use when usingldapsto protect against man-in-the-middle attacks and certificate forgery. The value for this property defaults tofull. When you configure Elasticsearch to connect to a Domain Controller using TLS, it attempts to verify the hostname or IP address specified by theurlattribute in the realm configuration with the Subject Alternative Names (SAN) in the certificate. If the SAN values in the certificate and realm configuration don’t match, Elasticsearch does not allow a connection to the Domain Controller. You can disable this behavior by setting thessl. verification_modeproperty tocertificate.- The
You have two ways of mapping Active Directory groups to roles for your users. The preferred one is to use the role mapping API. If for some reason this is not possible, you can use a role mapping file to specify the mappings instead.
Only Active Directory security groups are supported. You cannot map distribution groups to roles.
Let’s assume that you want all your users that authenticate through AD to have read-only access to a certain index my-index and the AD users that are members of the cn=administrators, dc=example, dc=com group in LDAP, to become superusers in your deployment:
Create the read-only role
POST /_security/role/read-only-my-index 1 { "indices": [ { "names": [ "my-index" ], "privileges": [ "read" ] } ] }- The name of the role.
Create the relevant role mapping rule for read only users
POST /_security/role_mapping/ad-read-only 1 { "enabled": true, "roles": [ "read-only-my-index" ], 2 "rules": { "field": { "realm.name": "my_ad" } 3 }, "metadata": { "version": 1 } }- The name of the role mapping.
- The name of the role we created earlier.
- The name of our Active Directory realm.
Create the relevant role mapping rule for superusers
POST /_security/role_mapping/ldap-superuser 1 { "enabled": true, "roles": [ "superuser" ], 2 "rules": { "all" : [ { "field": { "realm.name": "my_ad" } },<3> { "field": { "groups": "cn=administrators, dc=example, dc=com" } }<4> ] }, "metadata": { "version": 1 } }- The name of the role mapping.
- The name of the role we want to assign, in this case
superuser. - The name of our active_directory realm.
- The DN of the AD group whose members should get the
superuserrole in the deployment.
Let’s assume that you want all your users that authenticate through AD and are members of the cn=my-users,dc=example, dc=com group in AD to have read-only access to a certain index my-index and only the users cn=Senior Manager, cn=management, dc=example, dc=com and cn=Senior Admin, cn=management, dc=example, dc=com to become superusers in your deployment:
Create a file named
role-mappings.ymlwith the following contents:superuser: - cn=Senior Manager, cn=management, dc=example, dc=com - cn=Senior Admin, cn=management, dc=example, dc=com read-only-user: - cn=my-users, dc=example, dc=comPrepare the custom bundle ZIP file
mappings.zip, that contains therole-mappings.ymlfile in the same way that you would on Elastic Cloud.Custom bundles get unzipped under the path
/app/config/BUNDLE_DIRECTORY_STRUCTURE, whereBUNDLE_DIRECTORY_STRUCTUREis the directory structure within the bundle ZIP file itself. For example:$ tree . . └── mappings └── role-mappings.ymlIn our example, the role mappings file is extracted to
/app/config/mappings/role-mappings.ymlUpdate your plan in the advanced configuration editor so that it uses the bundle you prepared in the previous step. Modify the
user_bundlesJSON attribute as shown in the following example:NoteYou must specify the
user_bundlesattribute for each deployment template. You can alter7.*to8.*when needed.{ "cluster_name": "REPLACE_WITH_YOUR_CLUSTER_NAME", "plan": { ... "elasticsearch": { "version": "7.*", "user_bundles": [ { "name": "role-mappings", "url": "https://www.myurl.com/mappings.zip", 1 "elasticsearch_version": "7.*" 2 } ] } }- The URL that points to
mappings.zipmust be accessible to the cluster. - The bundle is compatible with any Elasticsearch
7.*version.
TipUsing a wildcard for the minor version ensures bundles are compatible with the stated Elasticsearch major version to avoid the need to re-upload a new bundle with minor versions upgrades.
- The URL that points to
Update your user settings for the
ldaprealm as follows:xpack: security: authc: realms: active_directory: my_ad: order: 2 domain_name: ad.example.com url: ldaps://ad.example.com:636 1 bind_dn: es_svc_user@ad.example.com ssl: certificate_authorities: ["/app/config/cacerts/ca.crt"] verification_mode: certificate files: role_mapping: "/app/config/mappings/role-mappings.yml" 1- The path where our role mappings file is unzipped.