中间件技术
LDAP配置与安装
Docker部署Openldap和phpLDAPadmin
ES LDAP 集成
ElasticSearch结合LDAP实现权限、用户管控
LDAP简介
本文档使用 MrDoc 发布
-
+
首页
ES LDAP 集成
测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)测试环境: OS: CentOS Linux release 7.6.1810 (Core) ES version:7.9.2 ## 前期准备 ### ES 安装 从官网下载linux源码包 [https://www.elastic.co/downloads/elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fdownloads%2Felasticsearch) ``` curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar.gz tar -xzvf elasticsearch-7.9.2-linux-x86_64.tar.gz cd elasticsearch-7.9.2 ./bin/elasticsearch ``` ### 启用安全功能 使用ES自带工具来实现。[Encrypting communications in Elasticsearch](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F7.9%2Fconfiguring-tls.html%23node-certificates) ``` # cd ES-HOME-DIR bin/elasticsearch-certutil ca bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mv elastic-certificates.p12 config vi config/elasticsearch.yml ``` 针对证书,在配置文件中做修改。 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode to certificate: certificate xpack.security.http.ssl.keystore.path: elastic-certificates.p12 ``` ### 设置密码 通过设置访问密码,这是elastic用户和其他一些系统内置用户的密码 ``` bin/elasticsearch-setup-passwords auto ``` 把密码保存下来。 验证服务 ``` $ curl https://127.0.0.1:9200/_cat/health -k -u elastic:KofFTZGdqZ8QggP3kLJw 1606371324 06:15:24 roy-es2 green 1 1 7 7 0 0 0 0 - 100.0% ``` ### 申请临时证书 这是LDAP认证需要。 Starts a 30-day trial. ``` curl -X POST "https://localhost:9200/_license/start_trial?acknowledge=true" -k -u elastic:KofFTZGdqZ8QggP3kLJw ``` ## 配置LDAP认证 ### 修改配置文件 目前,X-Pack集成LDAP认证支持通过以下两种配置方式: - 用户搜索模式。 - 带有用户DNs特定模板的模式。 其中,用户搜索模式是最常见的操作方式。在此模式中,具有搜索LDAP目录权限的特定用户,根据X-Pack提供的用户名和LDAP属性,搜索进行身份验证的用户的DN。一旦找到,X-Pack将使用找到的DN和提供的密码,尝试绑定到LDAP服务器来验证用户,详情请参见[Configure an LDAP realm](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2F6.7%2Fconfiguring-ldap-realm.html)。 以下为LDAP管理DN的映射方式,需要在Elasticsearch的YML文件中添加如下配置。 ``` xpack: security: authc: realms: ldap: ldap1: order: 0 url: "ldap://10.0.1.5" #url: "ldaps://10.0.1.5:636" bind_dn: "cn=Manager, dc=roywork, dc=com" #管理员dn bind_password: 123456 #管理员密码 user_search: base_dn: "dc=roywork,dc=com" #用户搜索范围 filter: "(cn={0})" group_search: base_dn: "dc=roywork,dc=com" files: role_mapping: "/es/elasticsearch-7.9.2/config/role_mapping.yml" #角色绑定配置文件 unmapped_groups_as_roles: false ``` | 参数 | 说明 | | --- | --- | | `type` | 设置域。此处必须设置为`ldap`。 | | `url` | 指定LDAP服务器URL及端口。`ldap`协议表示使用普通连接,端口为389;`ldaps`表示使用SSL安全连接,端口为636。 | | `bind_dn` | 用于绑定到LDAP并执行搜索的用户的DN,仅适用于用户搜索模式。 | | `bind_password` | 用于绑定到LDAP目录的用户的密码。 | | `user_search.base_dn` | 用户搜索的容器DN。 | | `group_search.base_dn` | 用于搜索用户具有成员资格的容器DN。当此参数不存在时,Elasticsearch将搜索`user_group_attribute`指定的属性,来确定成员身份。 | | `unmapped_groups_as_roles` | 默认`false`。如果设置为`true`,则任何未映射的LDAP组的名称都将用作角色名称分配给用户。 | ### LDAP 的组/用户 与 ES roles 映射 #### 文件形式 role\_mapping.yml,可配置可不配,就放这里参考下,一般通过api配置映射关系。因为通过文件的形式需要每个node都存放一份。 ``` superuser: - "cn=Manager,dc=roywork,dc=com" ``` #### API方式 Map LDAP groups to roles. The `ldap` realm enables you to map LDAP users to roles via their LDAP groups, or other metadata. This role mapping can be configured via the [add role mapping API](https://links.jianshu.com/go?to=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Fsecurity-api-put-role-mapping.html) or by using a file stored on each node. **使用方式** maps the LDAP `admins` group to both the `monitoring` and `user` roles ``` PUT /_security/role_mapping/admins { "roles" : [ "monitoring" , "user" ], "rules" : { "field" : { "groups" : "cn=admins,dc=example,dc=com" } }, "enabled": true } ``` 实际使用例子 ``` $ curl -X POST "https://localhost:9200/_xpack/security/role_mapping/users" -k -u elastic:KofFTZGdqZ8QggP3kLJw -H 'Content-Type: application/json' -d' { "roles": [ "superuser" ], "enabled": true, "rules": { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } } } ' ``` 验证 ``` $ curl "https://127.0.0.1:9200/_xpack/security/role_mapping?pretty" -k -u elastic:KofFTZGdqZ8QggP3kLJw { "users" : { "enabled" : true, "roles" : [ "superuser" ], "rules" : { "field" : { "dn" : "*,ou=People,dc=roywork,dc=com" } }, "metadata" : { } } } ``` ## 测试 用LDAP 中的用户去测试连接 ``` $ curl https://127.0.0.1:9200/_cat?pretty -k -u ldapuser2:123456 =^.^= /_cat/allocation /_cat/shards /_cat/shards/{index} /_cat/master /_cat/nodes /_cat/tasks /_cat/indices /_cat/indices/{index} /_cat/segments /_cat/segments/{index} .... ``` 在ldap添加一个新用户,结果同上,说明LDAP集成已经成功了。 ## 参考 [ElasticSearch结合LDAP实现权限、用户管控](https://www.jianshu.com/p/7154e80490ad) [elasticsearch实现与ldap对接](https://links.jianshu.com/go?to=https%3A%2F%2Fblog.fanfengqiang.com%2F2018%2F08%2F27%2Felasticsearch%25E5%25AE%259E%25E7%258E%25B0ldap%25E7%2594%25A8%25E6%2588%25B7%25E5%25AF%25B9%25E6%258E%25A5%2F) [LDAP user authentication](https://links.jianshu.com/go?to=https%3A%2F%2Fgithub.com%2Felastic%2Felasticsearch%2Fedit%2F7.10%2Fx-pack%2Fdocs%2Fen%2Fsecurity%2Fauthentication%2Fldap-realm.asciidoc) (官网)
adouk
2023年9月13日 09:33
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
分享
链接
类型
密码
更新密码