honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Shield Docs: Clarified that Shield does not support AD distribution groups. Closes elastic/elasticsearch#520. 

Original commit: elastic/x-pack-elasticsearch@39f57ff08d
This commit is contained in:
debadair 2015-09-21 10:22:33 -07:00
parent 0123d33e87
commit 84ffc956a8
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
shield/docs/public/mapping-roles.asciidoc
View File

@ -1,7 +1,8 @@
[[mapping-roles]] [[mapping-roles]]
=== Mapping Users and Groups to Roles === Mapping Users and Groups to Roles
If you authenticate users with an `esusers` realm, you can assign roles when you <<esusers-add,add a user>> and use the <<esusers-roles,`roles`>> command to add or remove roles. If you authenticate users with an `esusers` realm, you can assign roles when you
<<esusers-add,add a user>> and use the <<esusers-roles,`roles`>> command to add or remove roles.
For other types of realms, you configure role mappings for users and groups in a YAML file For other types of realms, you configure role mappings for users and groups in a YAML file
and copy it to each node in the cluster. Tools like Puppet or Chef can help with this. and copy it to each node in the cluster. Tools like Puppet or Chef can help with this.
@ -28,8 +29,12 @@ groups in the role mappings, you use their _Distinguished Names_ (DNs). A DN
is a string that uniquely identifies the user or group, for example is a string that uniquely identifies the user or group, for example
`"cn=John Doe,cn=contractors,dc=example,dc=com"`. `"cn=John Doe,cn=contractors,dc=example,dc=com"`.
NOTE: Shield only supports Active Directory security groups. You cannot map distribution groups
to roles.
[[ldap-role-mapping]] [[ldap-role-mapping]]
LDAP and Active Directory realms support mapping both users and groups to roles. For example: For example, the following snippet maps the `admins` group to the `monitoring` role and maps
`John Doe`, the `users` group, and the `admins` group to the `user` role.
[source, yaml] [source, yaml]
------------------------------------------------------------ ------------------------------------------------------------
@ -41,7 +46,7 @@ user:
- "cn=admins,dc=example,dc=com" - "cn=admins,dc=example,dc=com"
------------------------------------------------------------ ------------------------------------------------------------
<1> The name of a Shield role defined in the <<defining-roles, roles file>>. <1> The name of a Shield role defined in the <<defining-roles, roles file>>.
<2> The distinguished name of an LDAP or Active Directory group. <2> The distinguished name of an LDAP group or an Active Directory security group.
<3> The distinguished name of an LDAP or Active Directory user. added[1.1.0] <3> The distinguished name of an LDAP or Active Directory user. added[1.1.0]
[[pki-role-mapping]] [[pki-role-mapping]]

2
shield/docs/public/setting-up-authentication/configuring-active-directory-realm.asciidoc
View File

@ -21,6 +21,8 @@ unit_ (`ou`), _organization_ (`o`), and _domain controller_ (`dc`).
The path to a entry is a _Distinguished Name_ (DN) that uniquely identifies a user or group. User The path to a entry is a _Distinguished Name_ (DN) that uniquely identifies a user or group. User
and group names typically have attributes such as a _common name_ (`cn`) or _unique ID_ (`uid`). and group names typically have attributes such as a _common name_ (`cn`) or _unique ID_ (`uid`).
A DN is specified as a string, for example `"cn=admin,dc=example,dc=com"`. White space is ignored. A DN is specified as a string, for example `"cn=admin,dc=example,dc=com"`. White space is ignored.
Shield only supports Active Directory security groups. You cannot map distribution groups
to roles.
NOTE: When you use Active Directory for authentication, the username entered by the user is expected NOTE: When you use Active Directory for authentication, the username entered by the user is expected
to match the `sAMAccountName` or `userPrincipalName`, not the common name. to match the `sAMAccountName` or `userPrincipalName`, not the common name.