Shield Docs: Clarified that Shield does not support AD distribution groups. Closes elastic/elasticsearch#520.

Original commit: elastic/x-pack-elasticsearch@39f57ff08d
This commit is contained in:
debadair 2015-09-21 10:22:33 -07:00
parent 0123d33e87
commit 84ffc956a8
2 changed files with 10 additions and 3 deletions

View File

@ -1,7 +1,8 @@
[[mapping-roles]]
=== Mapping Users and Groups to Roles
If you authenticate users with an `esusers` realm, you can assign roles when you <<esusers-add,add a user>> and use the <<esusers-roles,`roles`>> command to add or remove roles.
If you authenticate users with an `esusers` realm, you can assign roles when you
<<esusers-add,add a user>> and use the <<esusers-roles,`roles`>> command to add or remove roles.
For other types of realms, you configure role mappings for users and groups in a YAML file
and copy it to each node in the cluster. Tools like Puppet or Chef can help with this.
@ -28,8 +29,12 @@ groups in the role mappings, you use their _Distinguished Names_ (DNs). A DN
is a string that uniquely identifies the user or group, for example
`"cn=John Doe,cn=contractors,dc=example,dc=com"`.
NOTE: Shield only supports Active Directory security groups. You cannot map distribution groups
to roles.
[[ldap-role-mapping]]
LDAP and Active Directory realms support mapping both users and groups to roles. For example:
For example, the following snippet maps the `admins` group to the `monitoring` role and maps
`John Doe`, the `users` group, and the `admins` group to the `user` role.
[source, yaml]
------------------------------------------------------------
@ -41,7 +46,7 @@ user:
- "cn=admins,dc=example,dc=com"
------------------------------------------------------------
<1> The name of a Shield role defined in the <<defining-roles, roles file>>.
<2> The distinguished name of an LDAP or Active Directory group.
<2> The distinguished name of an LDAP group or an Active Directory security group.
<3> The distinguished name of an LDAP or Active Directory user. added[1.1.0]
[[pki-role-mapping]]

View File

@ -21,6 +21,8 @@ unit_ (`ou`), _organization_ (`o`), and _domain controller_ (`dc`).
The path to a entry is a _Distinguished Name_ (DN) that uniquely identifies a user or group. User
and group names typically have attributes such as a _common name_ (`cn`) or _unique ID_ (`uid`).
A DN is specified as a string, for example `"cn=admin,dc=example,dc=com"`. White space is ignored.
Shield only supports Active Directory security groups. You cannot map distribution groups
to roles.
NOTE: When you use Active Directory for authentication, the username entered by the user is expected
to match the `sAMAccountName` or `userPrincipalName`, not the common name.