Comments (9)
Now supported through a mixture of podTemplate
and `config.
from cloud-on-k8s.
Hi,
Any documentation how to enable LDAP user auth through ECK operator?
from cloud-on-k8s.
Any documentation how to enable LDAP user auth through ECK operator?
There is no special thing to do to configure LDAP authentication for Elasticsearch when using ECK.
See the Elasticsearch documentation to configure LDAP: https://www.elastic.co/guide/en/elasticsearch/reference/current/ldap-realm.html#ldap-realm-configuration
See the ECK documentation to add settings to the Elasticsearch configuration:
https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-node-configuration.html
Note that in version 1.0.0-beta1
, we introduced a regression that by default disables the native realm. If you want it, you need explicitely declare it (https://discuss.elastic.co/t/new-user-cant-login-kibana/204810/2).
from cloud-on-k8s.
Great, Thanks
from cloud-on-k8s.
@thbkrkr I tried this config but doesnt seem to take any effect , is there a way to chck where it is failing? I don't see any ldap config created by operator.
cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: livelogs
namespace: livelogs
spec:
version: 7.5.0
nodeSets:
- name: livelogs
count: 3
podTemplate:
spec:
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.5.0
resources:
limits:
memory: 24Gi
cpu: 4
env:
- name: ES_JAVA_OPTS
value: "-Xms16g -Xmx16g"
http:
service:
spec:
type: NodePort
tls:
selfSignedCertificate:
disabled: true
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
storageClassName: standard-01
config:
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: true
xpack.security.authc.realms:
ldap:
ldap1:
order: 0
url: "ldaps://hh-ldap.mydomain"
bind_dn: "ou=people, dc=example, dc=com"
user_search:
base_dn: "dc=example,dc=com"
filter: "(uid={0})"
group_search:
base_dn: "example,dc=com"
EOF
from cloud-on-k8s.
The volumeClaimTemplates
and config
fields must be under a nodeSet
object. In your manifest, the http
section is misplaced and breaks this.
Corrected manifest:
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: livelogs
namespace: livelogs
spec:
version: 7.5.0
nodeSets:
- name: livelogs
count: 3
podTemplate:
spec:
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.5.0
resources:
limits:
memory: 24Gi
cpu: 4
env:
- name: ES_JAVA_OPTS
value: "-Xms16g -Xmx16g"
config:
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: true
xpack.security.authc.realms:
ldap:
ldap1:
order: 0
url: "ldaps://hh-ldap.mydomain"
bind_dn: "ou=people, dc=example, dc=com"
user_search:
base_dn: "dc=example,dc=com"
filter: "(uid={0})"
group_search:
base_dn: "example,dc=com"
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
storageClassName: standard-01
http:
service:
spec:
type: NodePort
tls:
selfSignedCertificate:
disabled: true
from cloud-on-k8s.
@thbkrkr still not able to login , which pod logs should I check to see any ldap related errors.
from cloud-on-k8s.
{"type": "server", "timestamp": "2020-01-08T12:50:38,453Z", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "livelogs", "node.name": "livelogs-es-livelogs-1", "message": "Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=89 (parameter error), diagnosticMessage='Simple bind operations are not allowed to contain a bind DN without a password.', ldapSDKVersion=4.0.8, revision=28812))", "cluster.uuid": "Ji3ZceuDSoml98DBNZlxmQ", "node.id": "ZEx_070DR_mkjQYtNI5evg" }
but our ldap setup is working without password for other services.
from cloud-on-k8s.
According to the documentation https://www.elastic.co/guide/en/elasticsearch/reference/master/active-directory-realm.html, you need to add a xpack.security.authc.realms.ldap.ldap1.secure_bind_password
setting in the keystore when you use a bind user.
Since it is not related to ECK, please use https://discuss.elastic.co/c/elasticsearch/6 to ask this kind of questions about setting up Elasticsearch.
from cloud-on-k8s.
Related Issues (20)
- Potentially allow disabling the creation of the `elastic` user.
- [Elasticsearch] - double containers with use podTemplate.spec.containers HOT 1
- Allow to setup monitoring cluster for APM Server
- [Feature] Standalone Elastic Agent Composite Agent Policies HOT 2
- Expand documentation of elastic-operator command-line
- Logstash StatefulSet initContainers command is not properly reconciliated HOT 1
- Storage class parameter update stopped working with k8s 1.27 on GKE HOT 1
- Upgrade EKS version in use in CI
- Restricted Installation instructions incomplete/broken
- Logging: Avoid uuids in field names
- Enhancing Kubernetes Controller Documentation for Elastic Agent Deployments
- GKE Autopilot tests broken on GKE 1.26 HOT 2
- ES restart after encrypting etcd data on openshift container platform 4.12
- TestFleet* is failing HOT 13
- OCP CI always using plans.yml instead of env var overrides
- Support controller-runtime v0.18.0
- ECK Operator chart webhook secret name reference invalid
- elastic-internal-diagnostics may not allow to detect all stack versions HOT 2
- How to add volumeClaimTemplate to eck elastic search HOT 1
- Custom Logs with operator eck dosen't works HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-on-k8s.