- Elastic Cloud Enterprise - Elastic Cloud on your Infrastructure: other versions:
- What Is Elastic Cloud Enterprise?
- Getting Started
- Configuring Your Installation
- Securing Your Installation
- Monitoring Your Installation
- Administering Your Installation
- Getting Started with Deployments
- Administering Deployments
- Change Your Deployment Configuration
- Stop Routing Requests or Pause Nodes
- Stop a Deployment
- Restart a Deployment
- Delete a Deployment
- Work with Snapshots
- Access the Elasticsearch API
- Upgrade Versions
- Editing Your User Settings
- Configure Beats and Logstash with Cloud ID
- Keep Your Clusters Healthy
- Secure Your Clusters
- Manage Your Kibana Instance
- Enable Monitoring (formerly Marvel)
- Enable Graph (Versions before 5.0)
- Connect to Your Cluster
- Troubleshooting
- RESTful API
- Using the API
- API examples
- A first API call: What deployments are there?
- Create a first deployment: Just an Elasticsearch cluster
- Applying a new plan: Resize and add high availability
- Applying a new plan: Checking on progress
- Applying a new deployment configuration: Upgrade
- Enable more stack features: Add Kibana to a deployment
- Dipping a toe into platform automation: Generate a roles token
- Customize your deployment
- Remove unwanted deployment templates and instance configurations
- API reference
- Authentication
- Clusters - Elasticsearch - CRUD
- Clusters - Elasticsearch - CRUD - Configuration
- Get cluster curation settings
- Update cluster curation settings
- Set settings overrides (all instances)
- Set settings overrides
- Set cluster name
- Get cluster metadata
- Set cluster metadata
- Get cluster metadata settings
- Update cluster metadata settings
- Cancel monitoring
- Set monitoring
- Get plan
- Update plan
- Get plan activity
- Cancel pending plan
- Get pending plan
- Set legacy security settings
- Get cluster snapshot settings
- Update cluster snapshot settings
- Clusters - Elasticsearch - Commands
- Search clusters
- Restart cluster
- Resynchronize cluster
- Shut down cluster
- Immediately create a new cluster snapshot
- Move instances (advanced)
- Start all instances
- Stop all instances
- Start maintenance mode all instances
- Stop maintenance mode all instances
- Move instances
- Start instances
- Stop instances
- Start maintenance mode
- Stop maintenance mode
- Clusters - Elasticsearch - Support
- Clusters - Kibana - CRUD
- Clusters - Kibana - CRUD - Configuration
- Clusters - Kibana - Commands
- Search clusters
- Restart cluster
- Resynchronize cluster
- Shut down cluster
- Upgrade cluster
- Move instances (advanced)
- Start all instances
- Stop all instances
- Start maintenance mode all instances
- Stop maintenance mode all instances
- Move instances
- Start instances
- Stop instances
- Start maintenance mode
- Stop maintenance mode
- Deployments - Notes
- Platform
- Platform - Allocators
- Get allocators
- Search allocators
- Delete allocator
- Get allocator
- Resynchronize allocator
- Move clusters
- Move clusters by type
- Start maintenance mode
- Stop maintenance mode
- Get allocator metadata
- Set allocator metadata
- Delete allocator metadata item
- Set allocator metadata item
- Get allocator settings
- Update allocator settings
- Set allocator settings
- Platform - Configuration - Instances - CRUD
- Platform - Configuration - Security
- Platform - Configuration - TLS
- Platform - Constructors
- Platform - License
- Platform - Repository - CRUD
- Platform - Runners
- Stack - Instance Types - CRUD
- Stack - Versions - CRUD
- Templates - Deployments
- Definitions
AllocatedInstanceStatusAllocatorCapacityAllocatorCapacityMemoryAllocatorHealthStatusAllocatorInfoAllocatorMoveRequestAllocatorOverviewAllocatorSettingsAllocatorZoneInfoApmPlanControlConfigurationBasicFailedReplyBasicFailedReplyElementBoolQueryCapacityConstraintsResourceChangeSourceInfoClusterCommandResponseClusterCredentialsClusterCrudResponseClusterCurationSettingsClusterCurationSpecClusterInstanceConfigurationInfoClusterInstanceDiskInfoClusterInstanceInfoClusterInstanceMemoryInfoClusterLicenseInfoClusterMetadataCpuResourcesSettingsClusterMetadataInfoClusterMetadataResourcesSettingsClusterMetadataSettingsClusterPlanStepInfoClusterPlanStepLogMessageInfoClusterSnapshotRepositoryDefaultClusterSnapshotRepositoryInfoClusterSnapshotRepositoryReferenceClusterSnapshotRepositoryStaticClusterSnapshotRequestClusterSnapshotResponseClusterSnapshotSettingsClusterSystemAlertClusterTopologyInfoClusterUpgradeInfoCompatibleNodeTypesResourceCompatibleVersionResourceConstructorHealthStatusConstructorInfoConstructorOverviewCreateElasticsearchClusterRequestCreateKibanaInCreateElasticsearchRequestCreateKibanaRequestDeploymentTemplateInfoDeploymentTemplateReferenceDiscreteSizesElasticsearchClusterBlockingIssueElementElasticsearchClusterBlockingIssuesElasticsearchClusterInfoElasticsearchClusterInstanceSettingsOverridesElasticsearchClusterPlanElasticsearchClusterPlanInfoElasticsearchClusterPlansInfoElasticsearchClusterRoleElasticsearchClusterSecurityInfoElasticsearchClusterSettingsElasticsearchClusterTopologyElementElasticsearchClusterUserElasticsearchClustersInfoElasticsearchConfigurationElasticsearchCurationElasticsearchInfoElasticsearchMasterElementElasticsearchMasterInfoElasticsearchMonitoringInfoElasticsearchNodeTypeElasticsearchPlanControlConfigurationElasticsearchReplicaElementElasticsearchScriptTypeSettingsElasticsearchScriptingUserSettingsElasticsearchShardElementElasticsearchShardsInfoElasticsearchSystemSettingsElasticsearchUserBundleElasticsearchUserPluginElevatePermissionsRequestEmptyResponseEnrollmentTokenRequestExistsQueryExternalHyperlinkGrowShrinkStrategyConfigHyperlinkIdResponseInstanceConfigurationInstanceMoveRequestInstanceTypeResourceKibanaClusterInfoKibanaClusterPlanKibanaClusterPlanInfoKibanaClusterPlansInfoKibanaClusterTopologyElementKibanaClustersInfoKibanaConfigurationKibanaPlanControlConfigurationKibanaSubClusterInfoKibanaSystemSettingsLegacySecuritySettingsLicenseInfoLicenseObjectListEnrollmentTokenElementListEnrollmentTokenReplyLoginRequestLoginStateManagedMonitoringSettingsMatchQueryMetadataItemMetadataItemValueMetadataItemsMoveApmClusterConfigurationMoveApmClusterDetailsMoveClustersCommandResponseMoveClustersDetailsMoveClustersRequestMoveElasticsearchClusterConfigurationMoveElasticsearchClusterDetailsMoveKibanaClusterConfigurationMoveKibanaClusterDetailsNestedQueryNodeTypeResourceNoteNotesPlanStrategyPlatformInfoPlatformServiceImageInfoPlatformServiceInfoPrefixQueryQueryContainerQueryStringQueryRangeQueryRepositoryConfigRepositoryConfigsRequestEnrollmentTokenReplyRestoreSnapshotApiConfigurationRestoreSnapshotConfigurationRestoreSnapshotRepoConfigurationRollingGrowShrinkStrategyConfigRollingStrategyConfigRunnerContainerInfoRunnerInfoRunnerOverviewRunnerRoleInfoRunnerRolesInfoSearchRequestSnapshotRepositoryConfigurationSnapshotStatusInfoStackVersionApmConfigStackVersionArchiveProcessingErrorStackVersionArchiveProcessingResultStackVersionConfigStackVersionConfigPostStackVersionConfigsStackVersionElasticsearchConfigStackVersionInstanceCapacityConstraintStackVersionKibanaConfigStackVersionMetadataStackVersionNodeTypeStackVersionTemplateFileHashStackVersionTemplateInfoTargetElasticsearchClusterTermQueryTiebreakerTopologyElementTlsPublicCertChainTokenResponseTopologySizeTransientApmPlanConfigurationTransientElasticsearchPlanConfigurationTransientKibanaPlanConfiguration
- Script Reference
- Release notes
- Elastic Cloud Enterprise 2.0.1
- Elastic Cloud Enterprise 2.0.0
- Elastic Cloud Enterprise 1.1.5
- Elastic Cloud Enterprise 1.1.4
- Elastic Cloud Enterprise 1.1.3
- Elastic Cloud Enterprise 1.1.2
- Elastic Cloud Enterprise 1.1.1
- Elastic Cloud Enterprise 1.1.0
- Elastic Cloud Enterprise 1.0.2
- Elastic Cloud Enterprise 1.0.1
- Elastic Cloud Enterprise 1.0.0
- About This Product
It is time to say goodbye: This version of Elastic Cloud Enterprise has reached end-of-life (EOL) and is no longer supported.
The documentation for this version is no longer being maintained. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Secure Your Clusters with LDAP
editSecure Your Clusters with LDAP
editThese steps show how you can secure your Elasticsearch clusters and Kibana instances with the Lightweight Directory Access Protocol (LDAP). To authenticate users through LDAP, you must first configure an ldap realm and map LDAP groups to user roles using the X-Pack security features.
Before You Begin
editThe steps in this section require an understanding of LDAP. To learn more about how securing Elasticsearch clusters with LDAP works, see LDAP user authentication.
Configure LDAP for Certificate-Based Authentication (Version 5.0 and Later)
editFor version 5.0 and later: To configure certificate-based authentication that uses LDAP over SSL:
-
Create an LDAP realm.
-
Decide which type of verification to perform when connecting to a LDAP server:
-
For self-signed certificates: Use
ssl.verification_mode: certificatetogether with thessl.truststore.pathandssl.truststore.passwordsettings. -
For certificates issued by a trusted source: Use
ssl.verification_mode: fulltogether with thessl.truststore.pathandssl.truststore.passwordsettings.
-
For self-signed certificates: Use
-
Create some LDAP entries. In this example, there is one organizational unit
groupswith theadministratorsandreadonlygroups under it. All of the entries are part of the domain LDAP objectdc=example,dc=com.admin: - "cn=administrators,ou=groups,dc=example,dc=com" readonly: - "cn=users,ou=groups,dc=example,dc=com"
-
-
Prepare a custom bundle as a ZIP file that contains your keystore file with the private key and certificate inside of a
truststorefolder` in the same way that you would on Elastic Cloud. This bundle allows all Elasticsearch containers to access the same keystore file through yourssl.truststoresettings. -
Prepare a custom bundle ZIP file with a role mapping file contained inside a
mappingsfolder. The contents of the role mapping file in our example are:admin: - "cn=administrators,ou=groups,dc=example,dc=com" readonly: - "cn=users,ou=groups,dc=example,dc=com"
- Create a deployment in the Cloud UI that you will update for use with LDAP later on. Use Elasticsearch version 5.x or later.
-
Update your new Elasticsearch cluster in the advanced configuration editor so that it uses the bundles you prepared in a previous step. You need to modify the
user_bundlesJSON attribute similar to the following example:{ "cluster_name": "xxxxxxx", "plan": { ... "elasticsearch": { "version": "5.5.1", "user_bundles": [ { "name": "ldap-cert", "url": "https://www.myurl.com/ldapcert.zip", "elasticsearch_version": "5.5.1" }, { "name": "role-mappings", "url": "https://www.myurl.com/role-mappings.zip", "elasticsearch_version": "5.5.1" } ] } }
The URLs that point to the bundle ZIP files (here
ldapcert.zipandrole-mappings.zip) must be accessible to the cluster. -
Note the file locations where custom bundles get unzipped, you will need them in the next step. Custom bundles get unzipped under the path
/app/config/BUNDLE_DIRECTORY_STRUCTURE, whereBUNDLE_DIRECTORY_STRUCTUREis the directory structure within the bundle ZIP file itself. For example:$ tree . . └── truststore └── keystore.ks
In our example, the unzipped keystore file gets placed under
/app/config/truststore/keystore.ksand the unzipped role mappings file under/app/config/mappings/role-mappings.yml. -
Add your user settings for the
ldaprealm for your users and groups, and specify your keystore and role mapping files from the previous step. For example:xpack: security: authc: realms: ldap1: type: ldap order: 2 url: "ldaps://SERVER_IP:636" user_search: base_dn: "dc=example,dc=com" attribute: cn group_search: base_dn: "ou=groups,dc=example,dc=com" ssl: verification_mode: certificate truststore: path: "/app/config/truststore/keystore.ks" password: "PASSWORD" files: role_mapping: "/app/config/mappings/role-mappings.yml" unmapped_groups_as_roles: false
If you set the realm type to native, the cluster fails to start. Do not combine the native realm with other authentication methods.
-
After the cluster configuration is updated, log into Kibana with the different users in your LDAP realm and verify that they can access the product features and data you expect. For example, in this case the
readonlyuser should be able to read indices based on the roles you granted, but it should not be able to write to indices or manage security features.
Configure LDAP with the Role Mapping API (Version 5.5 and Later)
editFor version 5.5 and later: To configure certificate-based authentication with LDAP using the Role Mapping API:
- Follow steps 1 through 5 in the previous section, excluding step 3. These steps walk you through configuring an LDAP realm, creating a custom bundle with your keystore file, creating a deployment, and updating your Elasticsearch cluster configuration to use the bundle.
-
Edit the user settings for your cluster to add minimal LDAP settings, replacing
SERVER_IPwith your own information:xpack: security: authc: realms: ldap1: type: ldap order: 2 url: "ldap://SERVER_IP:389" user_search: base_dn: "dc=example,dc=com" attribute: cn group_search: base_dn: "ou=groups,dc=example,dc=com" unmapped_groups_as_roles: false
If you set the realm type to native, the cluster fails to start. Do not combine the native realm with other authentication methods.
-
Map roles to your users with the Role Mapping API. For example, you can create an
adminuser with roles that map to theelasticsuperuser role and areadonlyuser that maps to some read-only roles. -
After the cluster configuration is updated, log into Kibana with the different users in your LDAP realm and verify that they can access the functionality and data you expect. For example, in this case, the
readonlyuser should be able to read indices based on the roles you granted, but it should not be able to write to indices or manage security features.
Configure LDAP with a Role Mapping File (version 2.x)
editFor version 2.x: To configure certificate-based authentication with LDAP using a role mapping file:
- Follow steps 1 through 5 in the first section, excluding step 1a. These steps walk you through configuring an LDAP realm, creating a custom bundle with your keystore file, creating a deployment, and updating your cluster configuration to use the bundle. Make sure you use the correct cluster version.
-
Add your user settings for LDAP, replacing
myuserwith your own user. Thetrustoresection must be placed outside therealmssection for these settings to work.shield: ssl: truststore: path: "/app/config/trusted/trusted.ks" password: "PASSWORD" authc: realms: ldap1: type: ldap order: 2 url: "ldaps://SERVER_IP:636" bind_dn: "uid=myuser,dc=example,dc=com" bind_password: PASSWORD user_search: base_dn: "dc=example,dc=com" attribute: cn group_search: base_dn: "ou=groups,dc=example,dc=com" unmapped_groups_as_roles: false files: role_mapping: "/app/config/mappings/role_mapping.yml" hostname_verification: false
If you set the realm type to native, the cluster fails to start. Do not combine the native realm with other authentication methods.
-
After the cluster configuration is updated, log into Kibana with the different users in your LDAP realm and verify that they can access the functionality and data you expect. For example, the
readonlyuser should be able to read indices based on the roles you granted, but it should not be able to write to indices or manage security features.
Configure LDAP and Active Directory
editThe steps in this section require an understanding of Active Directory. To learn more about how securing Elasticsearch clusters with Active Directory works, see AD user authentication.
To configure LDAP with Active Directory:
- Create or use an existing deployment.
-
If you are planning to encrypt the communication between ECE and the Active directory, upload a custom bundle as a ZIP file to your Elasticsearch cluster in the advanced configuration editor.
The bundle should contain your keystore file with the private key and certificate inside of a
truststorefolder allowing all Elasticsearch containers to access the same keystore file through yourssl.truststoresettings.You need to modify the
user_bundlesJSON attribute similar to the following example:{ "cluster_name": "xxxxxxx", "plan": { ... "elasticsearch": { "version": "6.4.1", "user_bundles": [ { "name": "ad-cert", "url": "https://www.myurl.com/adcert.zip", "elasticsearch_version": "6.4.1" }, { "name": "role-mappings", "url": "https://www.myurl.com/role-mappings.zip", "elasticsearch_version": "6.4.1" } ] } }
The URLs that point to the bundle ZIP files (here
ldapcert.zipandrole-mappings.zip) must be accessible to the cluster. - Restart the Elasticsearch cluster.
-
Configure the user settings for your Elasticsearch cluster to use Active Directory:
xpack: security: authc: realms: active_directory: type: active_directory order: 2 domain_name: AD_DOMAIN_NAME.com url: ldaps://SERVER_IP:636 user_search: base_dn: "dc=example,dc=com" attribute: cn group_search: base_dn: "ou=groups,dc=example,dc=com" unmapped_groups_as_roles: false ssl: verification_mode: certificate truststore: path: "/app/config/pem/keystore.ks" password: "secret"
There are three SSL verification mode options:
-
certificatefor self-signed certificates. Must include thepathandpassword. -
fullfor certificates issued by a trusted source. Must include thepathandpassword. -
nonewhere all certificates are trusted, regardless of issuer.Alternatively, you can remove these lines entirely to avoid using SSL.
-
-
After the cluster configuration is updated, log into Kibana with the different users in your Active Directory realm and verify that they can access the product features and data you expect. For example, in this case the
readonlyuser should be able to read indices based on the roles you granted, but they should not be able to write to indices or manage security features.
If you set the realm type to native, the cluster fails to start. Do not combine the native realm with other authentication methods.
On this page