# 6.4.6.5 LDAP user authentication LDAP 可用于身份验证和授权,因此可以在配置的 authc 和 authz 部分中使用。authc 部分用于配置身份验证,这意味着可用于检查用户是否输入了正确的凭证。authz 用于授权,定义如何检索和映射经过身份验证的用户的角色。 编辑`elasticsearch.yml`文件, 添加如下内容 ``` # X-Pack ldap auth xpack: security: authc: realms: native: type: native order: 0 ldap1: type: ldap order: 1 url: "ldaps://ldap.example.net:636" ssl: certificate_authorities: [ "/etc/elasticsearch/certs/wildcard.example.net.crt" ] user_search: base_dn: "ou=stuff,dc=example,dc=net" attribute: uid group_search: base_dn: "ou=Group,dc=example,dc=net" filter: "(&(objectClass=posixGroup)(memberUid={0}))" user_attribute: "uid" files: role_mapping: "role_mapping.yml" unmapped_groups_as_roles: false ``` 编辑`role_mapping.yml`是`用户`与`角色`的绑定文件, 编辑此文件添加如下内容, 可以配置也可以不配置一般通过 `API` 配置映射关系 ``` root@es-welog02cn-p005:/etc/elasticsearch# cat role_mapping.yml # Role mapping configuration file which has elasticsearch roles as keys # that map to one or more user or group distinguished names #roleA: this is an elasticsearch role # - groupA-DN this is a group distinguished name # - groupB-DN # - user1-DN this is the full user distinguished name #power_user: # - "cn=admins,dc=example,dc=com" #user: # - "cn=users,dc=example,dc=com" # - "cn=admins,dc=example,dc=com" # - "cn=John Doe,cn=other users,dc=example,dc=com" # power_user_roles BEGIN ANSIBLE MANAGED BLOCK superuser: - "cn=yunwei,ou=Group,dc=example,dc=net" # power_user_roles END ANSIBLE MANAGED BLOCK ``` ## **Api方式查询ES中的角色** Kibana界面中其实可以在Management界面中管控角色和内置用户, 但是在使用ldap做接入时没有办法使用web进行配置, 只能使用role\_mapping.yml 文件进行配置, 当集群节点过多时文件同步也是一个相当麻烦的事情 > PS: 使用使用http方式请求时,需要制定Basic Auth的用户名和密码分, 请求如果不带用户名和密码将报403错误。 ## **创建角色** 创建一个角色,并给这个角色一个索引权限,能读取索引中的一部分列 ```bash POST /_xpack/security/role/ POST /_xpack/security/role/kibana_autofinance_reader { "cluster": [], "indices": [ { "names": [ "kibana_sample_data_logs", ], "privileges": [ "read", "view_index_metadata" ], "field_security": { "grant": [ "*" ] } } ] } ``` 返回 ``` { "role": { "created": true } } ``` ## **查询角色** ```bash GET /_xpack/security/role #查询所有角色 GET /_xpack/security/role/group_autofinance_role #查询指定角色 ``` 返回 ```javascript { "kibana_autofinance_reader": { "cluster": [], "indices": [ { "names": [ "logstash-autofinance-*", "logstash-o2o.v2-nginx-*" ], "privileges": [ "read", "view_index_metadata" ], "field_security": { "grant": [ "*" ] } } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "space_read" ], "resources": [ "space:autofinance-space" ] }, { "application": "kibana-.kibana", "privileges": [ "space_read" ], "resources": [ "space:o2o-space" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } } ``` ## **给用户绑定角色** 本质上是创建一个用户和角色的映射关系,就是这个角色和映射关系的名称 ```bash POST /_xpack/security/role_mapping/ POST /_xpack/security/role_mapping/group_autofinance_role { "enabled": true, "roles": [ "kibana_autofinance_reader" ], "rules": { "field": { "groups": "cn=auto_finance_tech,ou=Group,dc=example,dc=net" } }, "metadata": {} } ``` 返回 ``` { "role_mapping": { "created": true } } ``` ## **查询用户\_角色绑定映射关系** ```bash GET /_xpack/security/role_mapping #查询所有的用户_角色映射关系 GET /_xpack/security/role_mapping/group_autofinance_role #查询指定的用户_角色映射关系 ``` 返回 ``` { "group_autofinance_role": { "enabled": true, "roles": [ "kibana_autofinance_reader" ], "rules": { "field": { "groups": "cn=auto_finance_tech,ou=Group,dc=example,dc=net" } }, "metadata": {} } } ``` ## 查询用户信息 ``` GET /_xpack/security/_authenticate -u zhangyan:zhangyan 返回: { "username": "gongxiude", "roles": [ "superuser" ], "full_name": null, "email": null, "metadata": { "ldap_dn": "uid=gongxiude,ou=stuff,dc=example,dc=net", "ldap_groups": [ "cn=yunwei,ou=Group,dc=example,dc=net", "cn=k8s-histore-cluster-admin,ou=Group,dc=example,dc=net", "cn=apollo-beijing,ou=Group,dc=example,dc=net", "cn=apollo-histore,ou=Group,dc=example,dc=net" ] }, "enabled": true } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.gxd88.cn/kubernetesri-zhi-xi-tong-pian/64-elasticsearchan-zhuang-bu-shu/enable-xpack/ldap-user-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.