Hello !
For RPM distribution, I did this way, not sure it’s the best way :
Just install ODfE RPMs.
You can find the security plugin configuration files here :
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig
The one for you is config.yml.
In authc part, you have the LDAP configuration for authentication (Be able to authenticate to elasticsearch/kibana).
In authz part, you have the LDAP configuration for authorization (Permissions for users).
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
Change each paramaters to your LDAP configuration.
Some example :
ldap:
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
verify_hostnames: true
# Here you can use 389 or 3268 (Better 3268 or you will have some errors)
hosts:
- LDAPSERVER.com:3268
bind_dn: "cn=admin,ou=Users,dc=example,dc=org"
password: "LDAPpassword"
# Here is where to find your users accounts, you can just put the general base
userbase: "dc=example,dc=org"
usersearch: '(sAMAccountName={0})'
# Put cn if you want to login with username, null if you want full Distinguish Name. "cn=user1,dc=example,dc=org"
username_attribute: "cn"
Don’t forget to change the auhz part too, but I can’t help on this, I never tried.
Then run the securityadmin.sh script.
chmod +x /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh
/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem -icl -nhnv -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
Your security plugin is then updated and you can login with LDAP.
And documentation can help you.
Hope I was clear enough !
Thi