Create Active Directory provider profiles

If you use an Active Directory (AD) server and LDAP to authenticate users, you can specify the servers, parameters, and the search modes that Elastic Cloud Enterprise uses to locate user credentials. There are several sections to the profile:

Begin the provider profile by adding the general settings:

  1. Log into the Cloud UI.
  2. Go to Users and then Authentication providers.
  3. From the Add provider drop-down menu, select Active Directory.
  4. Provide a unique profile name. This name becomes the realm ID, with any spaces replaced by hyphens.

    The name can be changed, but the realm ID cannot. The realm ID becomes part of the certificate bundle.

  5. Add one or more LDAP server URLs and the port. You can use LDAP or LDAPS, but you can’t use a mix of types.

    Example: ldaps://

  6. Choose how you want your load balancing to work:

    If a LDAP server connection fails, the LDAP traffic is processed by the servers in the order they were entered. The first server that connects gets used for subsequent connections.
    DNS failover
    The request is sent to a DNS hostname and the associated server IP addresses are searched in the order they are listed by the load balancer. Each request starts at the beginning of the IP address list, regardless of previous failures.
    Round robin
    A server is chosen at random and the traffic connects to each server IP address until a connection is made.
    DNS round robin
    The request is sent to a DNS hostname that is configured to with multiple IP addresses, rotating through until a connection is made.
  7. Provide the top-level domain name.

Prepare certificates

Though optional, you can add one or more certificate authorities (CAs) to validate user certificates with SSL/TLS. Connecting via SSL/TLS ensures that the identity of the AD server is authenticated before Elastic Cloud Enterprise transmits the user credentials and that the contents of the connection are encrypted. If the AD server also requires a client certificate for authentication then you will need to additionally include the client private key in the bundle for proof of identity.

  1. Provide the URL to the keystore ZIP file with the certificate(s) (optionally also containing the client private key if using client certificate authentication).

    The bundle should be a ZIP file containing a single keystore.ks file in the directory /ad/:id/truststore, where :id is the value of the Realm ID field created in the General settings.

  2. Select a truststore type.
  3. Add the password to access the truststore bundle.

Supply the bind credentials

You can either select Bind anonymously for user searches or you must specify the distinguished name (DN) of the user to bind and the bind password.

Bind settings are not used with search templates.

Configure the search settings

The profile can specify each of the details for a user search or use a template to perform AD queries.

To configure the user search:

  1. Provide the Base DN for the user or the group.
  2. Set the Search scope:

    Searches everything under the base but not the base itself.
    One level
    Searches for objects within the base DN.
    Uses only the base DN as the user object.
  3. Optional: Specify any additional query filters.
  4. Optional: You can specify an attribute such as memberof to apply the profile to all members who are included in that group and match the query or you could use uniquemember to limit the query further.

To search with a template:

  1. Select Template.
  2. Provide one or more User DN templates.

Create role mappings

When a user match is found, the role mapping assigns them privileges.

To assign all matched users a single role, select one of the Default roles.

To assign roles according to the User DN or Group DN, use the Add role mapping rule fields.

Custom configuration

You can add any additional settings to the Advanced configuration YAML file. For example, if you need to ignore the SSL check in a testing environment, you might add ssl.verification_mode: none.