Comments (9)
Now supported through a mixture of podTemplate
and `config.
from cloud-on-k8s.
Hi,
Any documentation how to enable LDAP user auth through ECK operator?
from cloud-on-k8s.
Any documentation how to enable LDAP user auth through ECK operator?
There is no special thing to do to configure LDAP authentication for Elasticsearch when using ECK.
See the Elasticsearch documentation to configure LDAP: https://www.elastic.co/guide/en/elasticsearch/reference/current/ldap-realm.html#ldap-realm-configuration
See the ECK documentation to add settings to the Elasticsearch configuration:
https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-node-configuration.html
Note that in version 1.0.0-beta1
, we introduced a regression that by default disables the native realm. If you want it, you need explicitely declare it (https://discuss.elastic.co/t/new-user-cant-login-kibana/204810/2).
from cloud-on-k8s.
Great, Thanks
from cloud-on-k8s.
@thbkrkr I tried this config but doesnt seem to take any effect , is there a way to chck where it is failing? I don't see any ldap config created by operator.
cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: livelogs
namespace: livelogs
spec:
version: 7.5.0
nodeSets:
- name: livelogs
count: 3
podTemplate:
spec:
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.5.0
resources:
limits:
memory: 24Gi
cpu: 4
env:
- name: ES_JAVA_OPTS
value: "-Xms16g -Xmx16g"
http:
service:
spec:
type: NodePort
tls:
selfSignedCertificate:
disabled: true
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
storageClassName: standard-01
config:
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: true
xpack.security.authc.realms:
ldap:
ldap1:
order: 0
url: "ldaps://hh-ldap.mydomain"
bind_dn: "ou=people, dc=example, dc=com"
user_search:
base_dn: "dc=example,dc=com"
filter: "(uid={0})"
group_search:
base_dn: "example,dc=com"
EOF
from cloud-on-k8s.
The volumeClaimTemplates
and config
fields must be under a nodeSet
object. In your manifest, the http
section is misplaced and breaks this.
Corrected manifest:
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: livelogs
namespace: livelogs
spec:
version: 7.5.0
nodeSets:
- name: livelogs
count: 3
podTemplate:
spec:
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.5.0
resources:
limits:
memory: 24Gi
cpu: 4
env:
- name: ES_JAVA_OPTS
value: "-Xms16g -Xmx16g"
config:
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: true
xpack.security.authc.realms:
ldap:
ldap1:
order: 0
url: "ldaps://hh-ldap.mydomain"
bind_dn: "ou=people, dc=example, dc=com"
user_search:
base_dn: "dc=example,dc=com"
filter: "(uid={0})"
group_search:
base_dn: "example,dc=com"
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
storageClassName: standard-01
http:
service:
spec:
type: NodePort
tls:
selfSignedCertificate:
disabled: true
from cloud-on-k8s.
@thbkrkr still not able to login , which pod logs should I check to see any ldap related errors.
from cloud-on-k8s.
{"type": "server", "timestamp": "2020-01-08T12:50:38,453Z", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "livelogs", "node.name": "livelogs-es-livelogs-1", "message": "Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=89 (parameter error), diagnosticMessage='Simple bind operations are not allowed to contain a bind DN without a password.', ldapSDKVersion=4.0.8, revision=28812))", "cluster.uuid": "Ji3ZceuDSoml98DBNZlxmQ", "node.id": "ZEx_070DR_mkjQYtNI5evg" }
but our ldap setup is working without password for other services.
from cloud-on-k8s.
According to the documentation https://www.elastic.co/guide/en/elasticsearch/reference/master/active-directory-realm.html, you need to add a xpack.security.authc.realms.ldap.ldap1.secure_bind_password
setting in the keystore when you use a bind user.
Since it is not related to ECK, please use https://discuss.elastic.co/c/elasticsearch/6 to ask this kind of questions about setting up Elasticsearch.
from cloud-on-k8s.
Related Issues (20)
- When scaling down StatefulSets, will PVCs be deleted together? Is this implemented in the operator? HOT 1
- Cluster non-bootable with nodeSet setting config.discovery.type: single-node
- Cluster Discovery Using an External ES Client in a Kubernetes Environment
- Removing nodes that can't join the cluster HOT 1
- Fleet server pod not created when Kibana is set with `SERVER_BASEPATH` HOT 1
- Adding a metadata label to volumeClaimTemplates does not work
- Implement war offloading in Enterprise Search controller to allow readOnlyFilesystem HOT 4
- [ECK Filebeat] Harvesting with autodiscover works in 8.5.3 but not with >8.6.0 HOT 6
- How do I specify the elastic user's password at deployment time HOT 3
- Can not disable the basic Elastic user HOT 3
- logstash: statefulset not restarting on pipeline changes HOT 1
- Support api-key - elasticsearchRefs - monitoring + output
- Please correct documentation at https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-snapshots.html#k8s-s3-compatible HOT 1
- feat: Allow disabling the secret existence verification (elasticsearchRefs)
- Document how to setup Azure managed workload identity for snapshots
- [E2E] Upgrading to Kibana 7.17.21 may fail HOT 1
- Error: could not start the HTTP server for the API: listen tcp 127.0.0.1:6791: bind: address already in use HOT 2
- Discrepancy between Logstash Helm Chart and docs for pipelinesRef
- Elastic Agent in ECK has no option to output to Logstash created by ECK.
- Reconciliation can get blocked when Statefulset Controller is stuck trying to create a Pod HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-on-k8s.