From e0aa9107e3c87d30f8ca2b99faddc352c889413a Mon Sep 17 00:00:00 2001 From: Lisa Cawley Date: Mon, 18 Nov 2019 13:29:51 -0800 Subject: [PATCH] [DOCS] Merges duplicate pages for LDAP realms (#49203) --- docs/reference/redirects.asciidoc | 20 +++++++++ .../configuring-ldap-realm.asciidoc | 14 ++---- .../authentication/ldap-realm.asciidoc | 44 +++++++------------ .../authorization/run-as-privilege.asciidoc | 2 +- .../docs/en/security/configuring-es.asciidoc | 3 +- .../securing-communications/tls-ldap.asciidoc | 2 +- .../docs/en/security/troubleshooting.asciidoc | 2 +- 7 files changed, 43 insertions(+), 44 deletions(-) diff --git a/docs/reference/redirects.asciidoc b/docs/reference/redirects.asciidoc index 24b6001a2c7c..518909722e61 100644 --- a/docs/reference/redirects.asciidoc +++ b/docs/reference/redirects.asciidoc @@ -975,3 +975,23 @@ See <>. === Configuring a file realm See <>. + +[role="exclude",id="ldap-user-search"] +=== User search mode and user DN templates mode + +See <>. + +[role="exclude",id="configuring-ldap-realm"] +=== Configuring an LDAP realm + +See <>. + +[role="exclude",id="ldap-settings"] +=== LDAP realm settings + +See <>. + +[role="exclude",id="ldap-ssl"] +=== Setting up SSL between Elasticsearch and LDAP + +See <>. diff --git a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc index 5bc3f960633d..6dc67e4acdc7 100644 --- a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc @@ -1,13 +1,5 @@ -[role="xpack"] -[[configuring-ldap-realm]] -=== Configuring an LDAP realm - -You can configure {es} to authenticate users by communicating with a Lightweight -Directory Access Protocol (LDAP) server. To integrate with LDAP, you configure -an `ldap` realm and map LDAP groups to user roles. - -For more information about LDAP realms, see -<>. +To integrate with LDAP, you configure an `ldap` realm and map LDAP groups to +user roles. . Determine which mode you want to use. The `ldap` realm supports two modes of operation, a user search mode and a mode with specific templates for user DNs. @@ -217,3 +209,5 @@ xpack: metadata: cn -------------------------------------------------- -- + +. Set up SSL to encrypt communications between {es} and LDAP. See <>. \ No newline at end of file diff --git a/x-pack/docs/en/security/authentication/ldap-realm.asciidoc b/x-pack/docs/en/security/authentication/ldap-realm.asciidoc index 7c435d852a1a..1a48229236c2 100644 --- a/x-pack/docs/en/security/authentication/ldap-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/ldap-realm.asciidoc @@ -3,9 +3,8 @@ === LDAP user authentication You can configure the {stack} {security-features} to communicate with a -Lightweight Directory Access Protocol (LDAP) server to authenticate users. To -integrate with LDAP, you configure an `ldap` realm and map LDAP groups to user -roles in the <>. +Lightweight Directory Access Protocol (LDAP) server to authenticate users. See +<>. LDAP stores users and groups hierarchically, similar to the way folders are grouped in a file system. An LDAP directory's hierarchy is built from containers @@ -20,25 +19,6 @@ for example `"cn=admin,dc=example,dc=com"` (white spaces are ignored). The `ldap` realm supports two modes of operation, a user search mode and a mode with specific templates for user DNs. -[[ldap-user-search]] -==== User search mode and user DN templates mode - -See <>. - -[[ldap-load-balancing]] -==== Load balancing and failover -The `load_balance.type` setting can be used at the realm level to configure how -the {security-features} should interact with multiple LDAP servers. The -{security-features} support both failover and load balancing modes of operation. - -See -<>. - -[[ldap-settings]] -==== LDAP realm settings - -See <>. - [[mapping-roles-ldap]] ==== Mapping LDAP groups to roles @@ -52,12 +32,16 @@ supports the notion of groups, which often represent user roles for different systems in the organization. The `ldap` realm enables you to map LDAP users to roles via their LDAP -groups, or other metadata. This role mapping can be configured via the +groups or other metadata. This role mapping can be configured via the <> or by using a file stored on each node. When a user authenticates with LDAP, the privileges for that user are the union of all privileges defined by the roles to which -the user is mapped. For more information, see -<>. +the user is mapped. + +[[ldap-realm-configuration]] +==== Configuring an LDAP realm + +include::configuring-ldap-realm.asciidoc[] [[ldap-user-metadata]] ==== User metadata in LDAP realms @@ -81,8 +65,10 @@ the `metadata` setting on the LDAP realm. This metadata is available for use with the <> or in <>. -[[ldap-ssl]] -==== Setting up SSL between Elasticsearch and LDAP +[[ldap-load-balancing]] +==== Load balancing and failover +The `load_balance.type` setting can be used at the realm level to configure how +the {security-features} should interact with multiple LDAP servers. The +{security-features} support both failover and load balancing modes of operation. -See -<>. +See <>. diff --git a/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc b/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc index dfc7a57939af..05b63aab8842 100644 --- a/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc +++ b/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc @@ -11,7 +11,7 @@ users, you can use the _run as_ mechanism to restrict data access according to To "run as" (impersonate) another user, you must be able to retrieve the user from the realm you use to authenticate. Both the internal `native` and `file` realms support this out of the box. The LDAP realm must be configured to run in -<>. The Active Directory realm must be +<>. The Active Directory realm must be <> to support _run as_. The PKI, Kerberos, and SAML realms do not support _run as_. diff --git a/x-pack/docs/en/security/configuring-es.asciidoc b/x-pack/docs/en/security/configuring-es.asciidoc index a34b271311f2..cfd8ff9dcc92 100644 --- a/x-pack/docs/en/security/configuring-es.asciidoc +++ b/x-pack/docs/en/security/configuring-es.asciidoc @@ -75,7 +75,7 @@ your subscription. For more information, see https://www.elastic.co/subscription ** <> ** <> ** <> -** <> +** <> ** <> ** <> ** <> @@ -144,7 +144,6 @@ include::securing-communications/configuring-tls-docker.asciidoc[] include::securing-communications/enabling-cipher-suites.asciidoc[] include::authentication/configuring-active-directory-realm.asciidoc[] -include::authentication/configuring-ldap-realm.asciidoc[] include::authentication/configuring-pki-realm.asciidoc[] include::authentication/configuring-kerberos-realm.asciidoc[] diff --git a/x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc b/x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc index 30b786b8e4c1..16e9006908b0 100644 --- a/x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc @@ -10,7 +10,7 @@ contents of the connection are encrypted. Clients and nodes that connect via TLS to the LDAP server need to have the LDAP server's certificate or the server's root CA certificate installed in their keystore or truststore. -For more information, see <>. +For more information, see <>. . Configure the realm's TLS settings on each node to trust certificates signed by the CA that signed your LDAP server certificates. The following example diff --git a/x-pack/docs/en/security/troubleshooting.asciidoc b/x-pack/docs/en/security/troubleshooting.asciidoc index 84aa25bc16cf..66445b49c940 100644 --- a/x-pack/docs/en/security/troubleshooting.asciidoc +++ b/x-pack/docs/en/security/troubleshooting.asciidoc @@ -92,7 +92,7 @@ this error. Groups are located by either an LDAP search or by the "memberOf" attribute on the user. Also, If subtree search is turned off, it will search only one -level deep. For all the options, see <>. +level deep. For all the options, see <>. There are many options here and sticking to the defaults will not work for all scenarios.