Update LDAP configuration

PUT /platform/configuration/security/realms/ldap/{realm_id}

Updates an existing LDAP configuration.

Path parameters

  • realm_id string Required

    The Elasticsearch Security realm identifier.

Query parameters

  • version string

    When specified, checks for conflicts against the version stored in the persistent store (returned in 'x-cloud-resource-version' of the GET request)

Body Required

The LDAP configuration

  • id string Required

    The identifier for the security realm

  • name string Required

    The friendly name of the security realm

  • urls array[string] Required

    The LDAP URLs used to authenticate against, in the format ldap[s]://server:port. Note that ldap and ldaps protocols cannot be mixed together.

  • bind_anonymously boolean Required

    When true, bindDb credentials are ignored

  • bind_type string Required

    The type of user binding to apply

    Values are user_search or user_templates.

  • group_search object

    The LDAP group search configuration

    Additional properties are allowed.

    Hide group_search attributes Show group_search attributes object
    • base_dn string

      Specifies a container DN to search for groups in which the user has membership

    • scope string

      Specifies whether the group search should be sub_tree, one_level or base. one_level only searches objects directly contained within the base_dn. The default sub_tree searches all objects contained under base_dn. base specifies that the base_dn is a group object, and that it is the only group considered.

      Values are sub_tree, one_level, or base.

    • filter string

      Specifies a filter to search for a group. When unspecified, the security realm searches for group, groupOfNames, groupOfUniqueNames, or posixGroup with the attributes member, memberOf, or memberUid. Any instance of {0} in the filter is replaced by the user attribute defined in user_attribute.

    • user_attribute string

      Specifies the user attribute that is fetched and provided as a parameter to the filter. When unspecified, the user DN is passed to the filter.

  • user_search object

    The LDAP user search configuration. Only used when bind_type is set to 'user_search'.

    Additional properties are allowed.

    Hide user_search attributes Show user_search attributes object
    • base_dn string

      Specifies a container DN to search for users

    • scope string

      The scope of the user search. Valid values are sub_tree, one_level, or base. one_level only searches objects directly contained in the base_dn. sub_tree searches all objects contained in base_dn. base specifies that the base_dn is the user object, and that it is the only user considered. Defaults to sub_tree.

      Values are sub_tree, one_level, or base.

    • filter string

      Specifies the filter to search the directory and match an entry with the username provided by the user. Defaults to (uid={0}). {0} is substituted with the username provided when searching.

  • user_dn_templates array[string]

    The distinguished name template that replaces the user name with the string {0}. Only used when bind_type is set to 'user_templates'.

  • bind_dn string

    The distinguished name of the user that is used to bind to the LDAP and perform searches. Only used when bind_type is set to 'user_search'.

  • bind_password string

    The user password that is used to bind to the LDAP server. Only used when bind_type is set to 'user_search'.

  • user_group_attribute string

    Specifies the attribute to examine on the user for group membership. If any 'group_search' settings are specified, this setting is ignored. Defaults to 'memberOf'.

  • load_balance object

    The LDAP load balancing behavior

    Additional properties are allowed.

    Hide load_balance attributes Show load_balance attributes object
    • type string

      The behavior to use when there are multiple LDAP URLs defined

      Values are failover, dns_failover, round_robin, or dns_round_robin.

    • cache_ttl string

      When using dns_failover or dns_round_robin as the load balancing type, this setting controls the amount of time to cache DNS lookups. Defaults to 1h.

  • certificate_url string

    The SSL trusted CA certificate bundle URL. The bundle should be a zip file containing a single keystore file 'keystore.ks' in the directory '/ldap/:id/truststore', where :id is the value of the [id] field.

  • certificate_url_truststore_password string

    The password to the certificate bundle URL truststore

  • certificate_url_truststore_type string

    The format of the truststore file. Should be jks to use the Java Keystore format or PKCS12 to use PKCS#12 files. The default is jks.

    Values are jks or PKCS12.

  • role_mappings object

    The role mapping rules associated with the security realm

    Additional properties are allowed.

    Hide role_mappings attributes Show role_mappings attributes object
    • default_roles array[string] Required

      The default roles applied to all users

    • rules array[object] Required

      The role mapping rules to evaluate

      Hide rules attributes Show rules attributes object
      • type string Required

        The type of role mapping rule

        Values are user_dn or group_dn.

      • roles array[string] Required

        The roles that are applied when the mapping rule is successfully evaluated

      • value string Required

        The value to match when evaluating this rule

  • enabled boolean

    When true, enables the security realm

  • order integer(int32)

    The order that the security realm is evaluated

  • override_yaml string

    Advanced configuration options in YAML format. Any settings defined here will override any configuration set via the API. Note that all keys should omit the 'xpack.security.authc.realms.ldap.{realm_id}' prefix. For example, when the realm ID is set to 'ldap1', the advanced configuration 'xpack.security.authc.realms.ldap.ldap1.ssl.verification_mode: full' should be added as 'ssl.verification_mode: full'.

Responses

  • 200

    The LDAP configuration was successfully updated

    Hide headers attributes Show headers attributes

    Additional properties are allowed.
  • 400
    • The realm id is already in use. (code: security_realm.id_conflict)
    • The selected id is not valid. (code: security_realm.invalid_id)
    • Order must be greater than zero. (code: security_realm.invalid_order)
    • Invalid Elasticsearch Security realm type. (code: security_realm.invalid_type)
    • The realm order is already in use. (code: security_realm.order_conflict)
    • Advanced YAML format is invalid. (code: security_realm.invalid_yaml)
    • The url format is invalid. (code: security_realm.invalid_url)
    • Invalid LDAP URL. (code: security_realm.ldap.invalid_url)
    • Invalid certificate bundle URL. (code: security_realm.invalid_bundle_url)
    Hide headers attribute Show headers attribute
    • x-cloud-error-codes string

      The error codes associated with the response

      Values are security_realm.id_conflict, security_realm.invalid_id, security_realm.invalid_order, security_realm.invalid_type, security_realm.order_conflict, security_realm.invalid_yaml, security_realm.invalid_url, security_realm.ldap.invalid_url, or security_realm.invalid_bundle_url.

    Hide response attribute Show response attribute object
    • errors array[object] Required

      A list of errors that occurred in the failing request

      Hide errors attributes Show errors attributes object
      • code string Required

        A structured code representing the error type that occurred

      • message string Required

        A human readable message describing the error that occurred

      • fields array[string]

        If the error can be tied to a specific field or fields in the user request, this lists those fields
  • 404

    The realm specified by {realm_id} cannot be found. (code: security_realm.not_found)

    Hide headers attribute Show headers attribute
    • x-cloud-error-codes string

      The error codes associated with the response

      Value is security_realm.not_found.

    Hide response attribute Show response attribute object
    • errors array[object] Required

      A list of errors that occurred in the failing request

      Hide errors attributes Show errors attributes object
      • code string Required

        A structured code representing the error type that occurred

      • message string Required

        A human readable message describing the error that occurred

      • fields array[string]

        If the error can be tied to a specific field or fields in the user request, this lists those fields
  • 409

    There is a version conflict. (code: security_realm.version_conflict)

    Hide headers attribute Show headers attribute
    • x-cloud-error-codes string

      The error codes associated with the response

      Value is security_realm.version_conflict.

    Hide response attribute Show response attribute object
    • errors array[object] Required

      A list of errors that occurred in the failing request

      Hide errors attributes Show errors attributes object
      • code string Required

        A structured code representing the error type that occurred

      • message string Required

        A human readable message describing the error that occurred

      • fields array[string]

        If the error can be tied to a specific field or fields in the user request, this lists those fields
PUT /platform/configuration/security/realms/ldap/{realm_id} 
curl \
 -X PUT https://{{hostname}}/api/v1/platform/configuration/security/realms/ldap/{realm_id} \
 -d '{"id":"string","name":"string","urls":["string"],"bind_anonymously":true,"bind_type":"user_search","group_search":{"base_dn":"string","scope":"sub_tree","filter":"string","user_attribute":"string"},"user_search":{"base_dn":"string","scope":"sub_tree","filter":"string"},"user_dn_templates":["string"],"bind_dn":"string","bind_password":"string","user_group_attribute":"string","load_balance":{"type":"failover","cache_ttl":"string"},"certificate_url":"string","certificate_url_truststore_password":"string","certificate_url_truststore_type":"jks","role_mappings":{"default_roles":["string"],"rules":[{"type":"user_dn","roles":["string"],"value":"string"}]},"enabled":true,"order":42,"override_yaml":"string"}'
Request examples 
{
  "id": "string",
  "name": "string",
  "urls": [
    "string"
  ],
  "bind_anonymously": true,
  "bind_type": "user_search",
  "group_search": {
    "base_dn": "string",
    "scope": "sub_tree",
    "filter": "string",
    "user_attribute": "string"
  },
  "user_search": {
    "base_dn": "string",
    "scope": "sub_tree",
    "filter": "string"
  },
  "user_dn_templates": [
    "string"
  ],
  "bind_dn": "string",
  "bind_password": "string",
  "user_group_attribute": "string",
  "load_balance": {
    "type": "failover",
    "cache_ttl": "string"
  },
  "certificate_url": "string",
  "certificate_url_truststore_password": "string",
  "certificate_url_truststore_type": "jks",
  "role_mappings": {
    "default_roles": [
      "string"
    ],
    "rules": [
      {
        "type": "user_dn",
        "roles": [
          "string"
        ],
        "value": "string"
      }
    ]
  },
  "enabled": true,
  "order": 42,
  "override_yaml": "string"
}
Response examples (200) 
# Headers
x-cloud-resource-version: string
x-cloud-resource-created: string
x-cloud-resource-last-modified: string

# Payload
{}
Response examples (400) 
# Headers
x-cloud-error-codes: security_realm.id_conflict

# Payload
{
  "errors": [
    {
      "code": "string",
      "message": "string",
      "fields": [
        "string"
      ]
    }
  ]
}
Response examples (404) 
# Headers
x-cloud-error-codes: security_realm.not_found

# Payload
{
  "errors": [
    {
      "code": "string",
      "message": "string",
      "fields": [
        "string"
      ]
    }
  ]
}
Response examples (409) 
# Headers
x-cloud-error-codes: security_realm.version_conflict

# Payload
{
  "errors": [
    {
      "code": "string",
      "message": "string",
      "fields": [
        "string"
      ]
    }
  ]
}