Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 43065ea536
Branches Tags
elasticsearch
/
docs
/
reference
/
security
/
securing-communications
/
tls-ldap.asciidoc

tls-ldap.asciidoc 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 
  1. [role="xpack"]
    2. 

  2. [[tls-ldap]]
    3. 

  3. ==== Encrypting communications between {es} and LDAP
    4. 

  4. 

  5. To protect the user credentials that are sent for authentication in an LDAP 
    6. 

  6. realm, it's highly recommended to encrypt communications between {es} and your 
    7. 

  7. LDAP server. Connecting via SSL/TLS ensures that the identity of the LDAP server 
    8. 

  8. is authenticated before {es} transmits the user credentials and the 
    9. 

  9. contents of the connection are encrypted. Clients and nodes that connect via 
    10. 

  10. TLS to the LDAP server need to have the LDAP server's certificate or the 
    11. 

  11. server's root CA certificate installed in their keystore or truststore. 
    12. 

  12. 

  13. For more information, see <<configuring-ldap-realm>>. 
    14. 

  14. 

  15. . Configure the realm's TLS settings on each node to trust certificates signed 
    16. 

  16. by the CA that signed your LDAP server certificates. The following example 
    17. 

  17. demonstrates how to trust a CA certificate, `cacert.pem`, located within the 
    18. 

  18. {es} configuration directory (ES_PATH_CONF):
    19. 

  19. +
    20. 

  20. --
    21. 

  21. [source,shell]
    22. 

  22. --------------------------------------------------
    23. 

  23. xpack:
    24. 

  24.   security:
    25. 

  25.     authc:
    26. 

  26.       realms:
    27. 

  27.         ldap:
    28. 

  28.           ldap1:
    29. 

  29.             order: 0
    30. 

  30.             url: "ldaps://ldap.example.com:636"
    31. 

  31.             ssl:
    32. 

  32.               certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
    33. 

  33. --------------------------------------------------
    34. 

  34. 

  35. The CA certificate must be a PEM encoded.
    36. 

  36. 

  37. NOTE: You can also specify the individual server certificates rather than the CA
    38. 

  38. certificate, but this is only recommended if you have a single LDAP server or 
    39. 

  39. the certificates are self-signed.
    40. 

  40. 

  41. --
    42. 

  42. 

  43. . Set the `url` attribute in the realm configuration to specify the LDAPS
    44. 

  44. protocol and the secure port number. For example, `url: ldaps://ldap.example.com:636`.
    45. 

  45. 

  46. . Restart {es}.
    47. 

  47. 

  48. NOTE: By default, when you configure {es} to connect to an LDAP server
    49. 

  49.       using SSL/TLS, it attempts to verify the hostname or IP address
    50. 

  50.       specified with the `url` attribute in the realm configuration with the
    51. 

  51.       values in the certificate. If the values in the certificate and realm
    52. 

  52.       configuration do not match, {es} does not allow a connection to the
    53. 

  53.       LDAP server. This is done to protect against man-in-the-middle attacks. If
    54. 

  54.       necessary, you can disable this behavior by setting the
    55. 

  55.       `ssl.verification_mode` property to `certificate`.
    56.