配置elasticsearch用windows account（AD）登录

参考文章：
• https://www.elastic.co/guide/en/elasticsearch/reference/current/active-directory-realm.html
• https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ref-ad-settings
• https://www.elastic.co/guide/en/elasticsearch/reference/current/elasticsearch-keystore.html

编辑es的配置文件

sudo vi /etc/eleicsearch/elasticsearch.yml

添加下面配置

xpack.security.authc.realms:
  native:
    native1:
      order: 1
  active_directory:
    my_ad:
      order: 0
      domain_name: domain
      url: ldaps://domain:port
      load_balance:
        type: "round_robin"
      bind_dn: "username@domain"
      ssl:
        certificate_authorities: [ "/etc/elasticsearch/certs/cacert.crt" ]
      user_search:
        base_dn: "DC=your_dc,DC=your_dc"
        filter: "(&(objectClass=user)(sAMAccountName={0}))"
      files:
        role_mapping: "/etc/elasticsearch/my_ad_role_mapping.yml"
      metadata:
        - cn
        - mail
        - displayName

替换domain成你的domain name
替换ldaps://domain:port成你的ldap服务器地址和端口
cacert.crt 替换成服务器的cacert
your_dc替换成你的DC

创建role mapping文件

Within a mapping definition, you specify groups using their distinguished names. For example, the following mapping configuration maps the Active Directory admins group to both the monitoring and user roles, maps the users group to the user role and maps the John Doe user to the user role.

monitoring: 
  - "cn=admins,dc=example,dc=com" 
user:
  - "cn=users,dc=example,dc=com" 
  - "cn=admins,dc=example,dc=com"
  - "cn=John Doe,cn=contractors,dc=example,dc=com" 

The name of the role.

The Active Directory distinguished name (DN) of the admins group.

The Active Directory distinguished name (DN) of the users group.

The Active Directory distinguished name (DN) of the user John Doe.

添加windows account的密码

sudo /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.authc.realms.active_directory.my_ad.secure_bind_password

然后输入密码，回车
输入下面的命令去查看刚刚的密码是否正确。

sudo /usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.authc.realms.active_directory.my_ad.secure_bind_password

给role mapping和cacert文件正确的权限

sduo chmod 755 
sudo chowm elastinsearch /etc/elasticsearch/certs/cacert.crt
sduo chmod 755 /etc/elasticsearch/my_ad_role_mapping.yml
sudo chowm elastinsearch /etc/elasticsearch/my_ad_role_mapping.yml

重启kibana和elasticsearch

sudo systemctl restart kibana
sudo systemctl restart elasticseatch

在kibana页面登陆elasticsearch

可以看到成功登录了。