配置elasticsearch用windows account(AD)登录
- 编辑es的配置文件
- 创建role mapping文件
- 添加windows account的密码
- 给role mapping和cacert文件正确的权限
- 重启kibana和elasticsearch
- 在kibana页面登陆elasticsearch
参考文章:
• https://www.elastic.co/guide/en/elasticsearch/reference/current/active-directory-realm.html
• https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ref-ad-settings
• https://www.elastic.co/guide/en/elasticsearch/reference/current/elasticsearch-keystore.html
编辑es的配置文件
sudo vi /etc/eleicsearch/elasticsearch.yml
添加下面配置
xpack.security.authc.realms:
native:
native1:
order: 1
active_directory:
my_ad:
order: 0
domain_name: domain
url: ldaps://domain:port
load_balance:
type: "round_robin"
bind_dn: "username@domain"
ssl:
certificate_authorities: [ "/etc/elasticsearch/certs/cacert.crt" ]
user_search:
base_dn: "DC=your_dc,DC=your_dc"
filter: "(&(objectClass=user)(sAMAccountName={0}))"
files:
role_mapping: "/etc/elasticsearch/my_ad_role_mapping.yml"
metadata:
- cn
- mail
- displayName
替换domain成你的domain name
替换ldaps://domain:port成你的ldap服务器地址和端口
cacert.crt 替换成服务器的cacert
your_dc替换成你的DC
创建role mapping文件
Within a mapping definition, you specify groups using their distinguished names. For example, the following mapping configuration maps the Active Directory admins group to both the monitoring and user roles, maps the users group to the user role and maps the John Doe user to the user role.
monitoring:
- "cn=admins,dc=example,dc=com"
user:
- "cn=users,dc=example,dc=com"
- "cn=admins,dc=example,dc=com"
- "cn=John Doe,cn=contractors,dc=example,dc=com"
The name of the role.
The Active Directory distinguished name (DN) of the admins group.
The Active Directory distinguished name (DN) of the users group.
The Active Directory distinguished name (DN) of the user John Doe.
添加windows account的密码
sudo /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.authc.realms.active_directory.my_ad.secure_bind_password
然后输入密码,回车
输入下面的命令去查看刚刚的密码是否正确。
sudo /usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.authc.realms.active_directory.my_ad.secure_bind_password
给role mapping和cacert文件正确的权限
sduo chmod 755
sudo chowm elastinsearch /etc/elasticsearch/certs/cacert.crt
sduo chmod 755 /etc/elasticsearch/my_ad_role_mapping.yml
sudo chowm elastinsearch /etc/elasticsearch/my_ad_role_mapping.yml
重启kibana和elasticsearch
sudo systemctl restart kibana
sudo systemctl restart elasticseatch
在kibana页面登陆elasticsearch
可以看到成功登录了。
![[附源码]Python计算机毕业设计儿童闲置物品交易网站](https://img-blog.csdnimg.cn/8085f7fcbf1c49688ca327ba9ce8c968.png)
