The configuration for the Elasticsearch security LDAP realm.


bind_anonymously (boolean, required)
When true, bindDb credentials are ignored
bind_dn (string)
The distinguished name of the user that is used to bind to the LDAP and perform searches. Only used when bind_type is set to 'user_search'.
bind_password (string)
The user password that is used to bind to the LDAP server. Only used when bind_type is set to 'user_search'.
bind_type (string; allowed values: [user_search, user_templates], required)
The type of user binding to apply
certificate_url (string)
The SSL trusted CA certificate bundle URL. The bundle should be a zip file containing a single keystore file 'keystore.ks' in the directory '/ldap/:id/truststore', where :id is the value of the [id] field.
certificate_url_truststore_password (string)
The password to the certificate bundle URL truststore
certificate_url_truststore_type (string; allowed values: [jks, PKCS12])
The format of the keystore file. Should be jks to use the Java Keystore format or PKCS12 to use PKCS#12 files. The default is jks.
enabled (boolean)
When true, enables the security realm
group_search (LdapGroupSearch)
The LDAP group search configuration
id (string, required)
The identifier for the security realm
load_balance (LdapSecurityRealmLoadBalance)
The LDAP load balancing behavior
name (string, required)
The friendly name of the security realm
order (integer as int32)
The order that the security realm is evaluated
override_yaml (string)
Advanced configuration options in YAML format. Any settings defined here will override any configuration set via the API. Note that all keys should omit the 'xpack.security.authc.realms.ldap.{realm_id}' prefix. For example, when the realm ID is set to 'ldap1', the advanced configuration 'xpack.security.authc.realms.ldap.ldap1.ssl.verification_mode: full' should be added as 'ssl.verification_mode: full'.
role_mappings (LdapSecurityRealmRoleMappingRules)
The role mapping rules associated with the security realm
urls (array[string], required)
The LDAP URLs used to authenticate against, in the format ldap[s]://server:port. Note that ldap and ldaps protocols cannot be mixed together.
user_dn_templates (array[string])
The distinguished name template that replaces the user name with the string {0}. Only used when bind_type is set to 'user_templates'.
user_group_attribute (string)
Specifies the attribute to examine on the user for group membership. If any 'group_search' settings are specified, this setting is ignored. Defaults to 'memberOf'.
user_search (LdapUserSearch)
The LDAP user search configuration. Only used when bind_type is set to 'user_search'.


   "bind_anonymously" : true,
   "bind_dn" : "string",
   "bind_password" : "string",
   "bind_type" : "string",
   "certificate_url" : "string",
   "certificate_url_truststore_password" : "string",
   "certificate_url_truststore_type" : "string",
   "enabled" : true,
   "group_search" : {
      "base_dn" : "string",
      "filter" : "string",
      "scope" : "string",
      "user_attribute" : "string"
   "id" : "string",
   "load_balance" : {
      "cache_ttl" : "string",
      "type" : "string"
   "name" : "string",
   "order" : 0,
   "override_yaml" : "string",
   "role_mappings" : {
      "default_roles" : [
      "rules" : [
            "roles" : [
            "type" : "string",
            "value" : "string"
   "urls" : [
   "user_dn_templates" : [
   "user_group_attribute" : "string",
   "user_search" : {
      "base_dn" : "string",
      "filter" : "string",
      "scope" : "string"