data-mc-breadcrumbs-count=6 data-mc-toc=True>
When you configure your Firebox to authenticate users with your Active Directory server, you add a comma-delimited search base. The search base is the place the search starts in the Active Directory hierarchical structure for user account entries. This can help to make the authentication procedure faster. Before you begin, you must have an operational Active Directory server that contains account information for all users for whom you want to configure authentication on the Firebox. From your Active Directory server:
Domain name components have the format dc=domain name component, are appended to the end of the search base string, and are also comma-delimited. For each level in your domain name, you must include a separate domain name component in your Active Directory search base. For example, if your domain name is prefix.example.com, the domain name component in your search base is: dc=prefix,dc=example,dc=com To make sure that the Active Directory search can find any user object in your domain, specify the root of the domain. For example, if your domain name is kunstlerandsons.com, and you want the Active Directory search to find any user object in the entire domain, the search base string to add is: dc=kunstlerandsons,dc=com To limit the search to begin in a container beneath the root of the domain, you must specify the fully-qualified name of the container in comma-delimited form. Start with the name of the base container and progress to the root of the domain. For example, assume your domain in the tree looks like this after you expand it:
Also assume that you want the Active Directory search to begin in the Sales container that appears in the example. This enables the search to find any user object inside the Sales container, and inside any containers in the Sales container. The search base string to add in the Firebox configuration is: ou=sales,ou=accounts,dc=kunstlerandsons,dc=com The search string is not case-sensitive. When you type your search string, you can use either uppercase or lowercase letters. Make sure that a comma separates each component in the search base, without spaces between the components. This search does not find user objects inside the Development or Admins containers, or inside the Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, or Users containers. DN of Searching User and Password of Searching User FieldsYou must complete these fields only if you select an option for the Login Attribute that is different from the default value, sAMAccountName. Most organizations that use Active Directory do not change this. When you leave this field at the default sAMAccountName value, users supply their usual Active Directory login names for their user names when they authenticate. This is the name you see in the User logon name text box on the Account tab when you edit the user account in Active Directory Users and Computers. If you use a different value for the Login Attribute, a user who tries to authenticate gives a different form of the user name. In this case, you must add Searching User credentials to your Firebox configuration. See AlsoConfigure Active Directory Authentication Change the Default Port for the Active Directory Server
You can configure Elastic Stack security features to communicate with Active
Directory to authenticate users. See Configuring an Active Directory realm. The security features use LDAP to communicate with Active Directory, so
active_directory realms are similar to ldap realms. Like
LDAP directories, Active Directory stores users and groups hierarchically. The
directory’s hierarchy is built from containers such as the organizational unit
(ou), organization (o), and domain component (dc). The path to an entry is a Distinguished Name (DN) that uniquely identifies a
user or group. User and group names typically have attributes such as a
common name (cn) or unique ID (uid). A DN is specified as a string, for
example "cn=admin,dc=example,dc=com" (white spaces are ignored). The security features supports only Active Directory security groups. You
cannot map distribution groups to roles.
When you use Active Directory for authentication, the username entered by the user is expected to match the sAMAccountName or userPrincipalName, not the common name. The Active Directory realm authenticates users using an LDAP bind request. After authenticating the user, the realm then searches to find the user’s entry in Active Directory. Once the user has been found, the Active Directory realm then retrieves the user’s group memberships from the tokenGroups attribute on the user’s entry in Active Directory.
To integrate with Active Directory, you configure an active_directory realm and map Active Directory users and groups to roles in the role mapping file.
When a user is authenticated via an Active Directory realm, the following properties are populated in the user’s metadata: This metadata is returned in the authenticate API and can be used with templated queries in roles. Additional metadata can be extracted from the Active Directory server by configuring the metadata setting on the Active Directory realm.
The load_balance.type setting can be used at the realm level to configure how the security features should interact with multiple Active Directory servers. Two modes of operation are supported: failover and load balancing. See Load balancing and failover.
To protect the user credentials that are sent for authentication, it’s highly recommended to encrypt communications between Elasticsearch and your Active Directory server. Connecting via SSL/TLS ensures that the identity of the Active Directory server is authenticated before Elasticsearch transmits the user credentials and the usernames and passwords are encrypted in transit. Clients and nodes that connect via SSL/TLS to the Active Directory server need to have the Active Directory server’s certificate or the server’s root CA certificate installed in their keystore or truststore.
By default, when you configure Elasticsearch to connect to Active Directory using SSL/TLS, it attempts to verify the hostname or IP address specified with the url attribute in the realm configuration with the values in the certificate. If the values in the certificate and realm configuration do not match, Elasticsearch does not allow a connection to the Active Directory server. This is done to protect against man-in-the-middle attacks. If necessary, you can disable this behavior by setting the ssl.verification_mode property to certificate. |