Create LDAP provider profilesedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

If you use a Lightweight Directory Access Protocol (LDAP) server to authenticate users, you can specify the servers, parameters, and the search modes that Elastic Cloud Enterprise uses to locate user credentials. There are several sections to the profile:

Begin the provider profile by adding the general settings:

  1. Log into the Cloud UI.
  2. Go to Users and then Authentication providers.
  3. From the Add provider drop-down menu, select LDAP.
  4. Provide a unique profile name. This name becomes the realm ID, with any spaces replaced by hyphens.

    The name can be changed, but the realm ID cannot. The realm ID becomes part of the certificate bundle.

  5. Add one or more LDAP server URLs and the port. You can use LDAP or LDAPS, but you can’t use a mix of types.

    Example: ldaps://

  6. Choose your load balancing type preference:

    • Failover - If a LDAP server connection fails, the LDAP traffic is processed by the servers in the order they were entered. The first server that connects gets used for subsequent connections.
    • DNS failover - The request is sent to a DNS hostname and the associated server IP addresses are searched in the order they are listed by the load balancer. Each request starts at the beginning of the IP address list, regardless of previous failures.
    • Round robin - A server is chosen at random and the traffic connects to each server IP address until a connection is made.
    • DNS round robin - The request is sent to a DNS hostname that is configured to with multiple IP addresses, rotating through until a connection is made.

Prepare certificatesedit

Though optional, you can add one or more certificate authorities (CAs) to validate user certificates with SSL/TLS. Connecting via SSL/TLS ensures that the identity of the LDAP server is authenticated before Elastic Cloud Enterprise transmits the user credentials and that the contents of the connection are encrypted. If the LDAP server also requires a client certificate for authentication then you will need to additionally include the client private key in the bundle for proof of identity.

  1. Provide the URL to the keystore ZIP file with the certificate(s) (optionally also containing the client private key if using client certificate authentication).

    The bundle should be a ZIP file containing a single keystore.ks file in the directory /ldap/:id/truststore, where :id is the value of the Realm ID field created in the General settings.

  2. Select a truststore type.
  3. Add the password to access the truststore bundle.

Supply the bind credentialsedit

You can either select Bind anonymously for user searches or you must specify the distinguished name (DN) of the user to bind and the bind password.

Bind settings are not used with search templates.

Configure the search settingsedit

The profile can specify each of the details for a user search or use a template to perform LDAP queries.

To configure the user search:

  1. Provide the Base DN for the user or the group.
  2. Set the Search scope:

    • Sub-tree - searches everything under the base but not the base itself.
    • One level - searches for objects within the base DN.
    • Base uses - only the base DN as the user object.
  3. Optional: Specify any additional query filters.
  4. Optional: You can specify an attribute such as memberof to apply the profile to all members who are included in that group and match the query or you could use uniquemember to limit the query further.

To search with a template:

  1. Select Template.
  2. Provide one or more User DN templates.

Create role mappingsedit

When a user match is found, the role mapping assigns them privileges.

To assign all matched users a single role, select one of the Default roles.

To assign roles according to the User DN or Group DN, use the Add role mapping rule fields.

Custom configurationedit

You can add any additional settings to the Advanced configuration YAML file. For example, if you need to ignore the SSL check in a testing environment, you might add ssl.verification_mode: none.