2018-05-02 14:22:32 -04:00
|
|
|
[role="xpack"]
|
|
|
|
|
[[tls-ldap]]
|
|
|
|
|
==== Encrypting communications between {es} and LDAP
|
|
|
|
|
|
|
|
|
|
To protect the user credentials that are sent for authentication in an LDAP
|
|
|
|
|
realm, it's highly recommended to encrypt communications between {es} and your
|
|
|
|
|
LDAP server. Connecting via SSL/TLS ensures that the identity of the LDAP server
|
2018-12-19 17:53:37 -05:00
|
|
|
is authenticated before {es} transmits the user credentials and the
|
2018-05-02 14:22:32 -04:00
|
|
|
contents of the connection are encrypted. Clients and nodes that connect via
|
|
|
|
|
TLS to the LDAP server need to have the LDAP server's certificate or the
|
|
|
|
|
server's root CA certificate installed in their keystore or truststore.
|
|
|
|
|
|
2019-11-18 16:29:51 -05:00
|
|
|
For more information, see <<ldap-realm>>.
|
2018-05-02 14:22:32 -04:00
|
|
|
|
|
|
|
|
. Configure the realm's TLS settings on each node to trust certificates signed
|
|
|
|
|
by the CA that signed your LDAP server certificates. The following example
|
|
|
|
|
demonstrates how to trust a CA certificate, `cacert.pem`, located within the
|
2018-12-19 17:53:37 -05:00
|
|
|
{es} configuration directory (ES_PATH_CONF):
|
2018-05-02 14:22:32 -04:00
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,shell]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
xpack:
|
|
|
|
|
security:
|
|
|
|
|
authc:
|
|
|
|
|
realms:
|
2018-11-05 22:56:50 -05:00
|
|
|
ldap:
|
|
|
|
|
ldap1:
|
|
|
|
|
order: 0
|
|
|
|
|
url: "ldaps://ldap.example.com:636"
|
|
|
|
|
ssl:
|
|
|
|
|
certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
|
2018-05-02 14:22:32 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
|
|
The CA certificate must be a PEM encoded.
|
|
|
|
|
|
|
|
|
|
NOTE: You can also specify the individual server certificates rather than the CA
|
|
|
|
|
certificate, but this is only recommended if you have a single LDAP server or
|
|
|
|
|
the certificates are self-signed.
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. Set the `url` attribute in the realm configuration to specify the LDAPS
|
|
|
|
|
protocol and the secure port number. For example, `url: ldaps://ldap.example.com:636`.
|
|
|
|
|
|
|
|
|
|
. Restart {es}.
|
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
NOTE: By default, when you configure {es} to connect to an LDAP server
|
|
|
|
|
using SSL/TLS, it attempts to verify the hostname or IP address
|
2018-05-02 14:22:32 -04:00
|
|
|
specified with the `url` attribute in the realm configuration with the
|
|
|
|
|
values in the certificate. If the values in the certificate and realm
|
2018-12-19 17:53:37 -05:00
|
|
|
configuration do not match, {es} does not allow a connection to the
|
2018-05-02 14:22:32 -04:00
|
|
|
LDAP server. This is done to protect against man-in-the-middle attacks. If
|
|
|
|
|
necessary, you can disable this behavior by setting the
|
2018-11-05 22:56:50 -05:00
|
|
|
`ssl.verification_mode` property to `certificate`.
|
