Comments (9)
nkvoll
commented on May 16, 2024
Now supported through a mixture of podTemplate and `config.
from cloud-on-k8s.
iahmad-khan
commented on May 16, 2024
Hi,
Any documentation how to enable LDAP user auth through ECK operator?
from cloud-on-k8s.
thbkrkr
commented on May 16, 2024
Any documentation how to enable LDAP user auth through ECK operator?
There is no special thing to do to configure LDAP authentication for Elasticsearch when using ECK.
See the Elasticsearch documentation to configure LDAP: https://www.elastic.co/guide/en/elasticsearch/reference/current/ldap-realm.html#ldap-realm-configuration
See the ECK documentation to add settings to the Elasticsearch configuration:
https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-node-configuration.html
Note that in version 1.0.0-beta1, we introduced a regression that by default disables the native realm. If you want it, you need explicitely declare it (https://discuss.elastic.co/t/new-user-cant-login-kibana/204810/2).
from cloud-on-k8s.
iahmad-khan
commented on May 16, 2024
Great, Thanks
from cloud-on-k8s.
iahmad-khan
commented on May 16, 2024
@thbkrkr I tried this config but doesnt seem to take any effect , is there a way to chck where it is failing? I don't see any ldap config created by operator.
cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: livelogs
namespace: livelogs
spec:
version: 7.5.0
nodeSets:
- name: livelogs
count: 3
podTemplate:
spec:
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.5.0
resources:
limits:
memory: 24Gi
cpu: 4
env:
- name: ES_JAVA_OPTS
value: "-Xms16g -Xmx16g"
http:
service:
spec:
type: NodePort
tls:
selfSignedCertificate:
disabled: true
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
storageClassName: standard-01
config:
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: true
xpack.security.authc.realms:
ldap:
ldap1:
order: 0
url: "ldaps://hh-ldap.mydomain"
bind_dn: "ou=people, dc=example, dc=com"
user_search:
base_dn: "dc=example,dc=com"
filter: "(uid={0})"
group_search:
base_dn: "example,dc=com"
EOF
from cloud-on-k8s.
thbkrkr
commented on May 16, 2024
The volumeClaimTemplates and config fields must be under a nodeSet object. In your manifest, the http section is misplaced and breaks this.
Corrected manifest:
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: livelogs
namespace: livelogs
spec:
version: 7.5.0
nodeSets:
- name: livelogs
count: 3
podTemplate:
spec:
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.5.0
resources:
limits:
memory: 24Gi
cpu: 4
env:
- name: ES_JAVA_OPTS
value: "-Xms16g -Xmx16g"
config:
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: true
xpack.security.authc.realms:
ldap:
ldap1:
order: 0
url: "ldaps://hh-ldap.mydomain"
bind_dn: "ou=people, dc=example, dc=com"
user_search:
base_dn: "dc=example,dc=com"
filter: "(uid={0})"
group_search:
base_dn: "example,dc=com"
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
storageClassName: standard-01
http:
service:
spec:
type: NodePort
tls:
selfSignedCertificate:
disabled: truefrom cloud-on-k8s.
iahmad-khan
commented on May 16, 2024
@thbkrkr still not able to login , which pod logs should I check to see any ldap related errors.
from cloud-on-k8s.
iahmad-khan
commented on May 16, 2024
{"type": "server", "timestamp": "2020-01-08T12:50:38,453Z", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "livelogs", "node.name": "livelogs-es-livelogs-1", "message": "Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=89 (parameter error), diagnosticMessage='Simple bind operations are not allowed to contain a bind DN without a password.', ldapSDKVersion=4.0.8, revision=28812))", "cluster.uuid": "Ji3ZceuDSoml98DBNZlxmQ", "node.id": "ZEx_070DR_mkjQYtNI5evg" }
but our ldap setup is working without password for other services.
from cloud-on-k8s.
thbkrkr
commented on May 16, 2024
According to the documentation https://www.elastic.co/guide/en/elasticsearch/reference/master/active-directory-realm.html, you need to add a xpack.security.authc.realms.ldap.ldap1.secure_bind_password setting in the keystore when you use a bind user.
Since it is not related to ECK, please use https://discuss.elastic.co/c/elasticsearch/6 to ask this kind of questions about setting up Elasticsearch.
from cloud-on-k8s.
Related Issues (20)
- Potentially allow disabling the creation of the `elastic` user.
- [Elasticsearch] - double containers with use podTemplate.spec.containers HOT 1
- Allow to setup monitoring cluster for APM Server
- [Feature] Standalone Elastic Agent Composite Agent Policies HOT 2
- Expand documentation of elastic-operator command-line
- Logstash StatefulSet initContainers command is not properly reconciliated HOT 1
- Storage class parameter update stopped working with k8s 1.27 on GKE HOT 1
- Upgrade EKS version in use in CI
- Restricted Installation instructions incomplete/broken
- Logging: Avoid uuids in field names
- Enhancing Kubernetes Controller Documentation for Elastic Agent Deployments
- GKE Autopilot tests broken on GKE 1.26 HOT 2
- ES restart after encrypting etcd data on openshift container platform 4.12
- TestFleet* is failing HOT 13
- OCP CI always using plans.yml instead of env var overrides
- Support controller-runtime v0.18.0
- ECK Operator chart webhook secret name reference invalid
- elastic-internal-diagnostics may not allow to detect all stack versions HOT 2
- How to add volumeClaimTemplate to eck elastic search HOT 1
- Custom Logs with operator eck dosen't works HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-on-k8s.