Securing Elasticsearch and Kibana with LDAP and Docker

Elasticsearch is a powerful NoSQL database and search engine built on the robust foundation of Lucene. X-Pack is an Elastic Stack extension that provides security, alerting, monitoring, reporting, machine learning, and many other capabilities. By default, when you install Elasticsearch, X-Pack is included. However, some of its features are not free, including LDAP authentication.

LDAP (Lightweight Directory Access Protocol) is a common way to ensure that only authorized individuals have access. It is also widely adopted in organizations and seamlessly integrates with Elasticsearch and Kibana, enhancing their security.

Let’s dive into how we can achieve this using the Readonlyrest plugin, which brings LDAP functionality without any additional cost.

Customizing Docker image for Elasticsearch

We can use the official Elasticsearch image as our base image and create a new image with the ReadonlyREST plugin installed.

This Dockerfile initializes an Elasticsearch container with version 8.5.1, utilizing the provided configuration files (elasticsearch.yml and readonlyrest.yml). It installs the ReadonlyREST plugin and applies a patch as the root user before switching back to the elasticsearch user.

Now, let's take a look at the configuration files for Elasticsearch and ReadonlyREST:

Elasticsearch Config file

For this example, we are using a single-node Elasticsearch setup and disabling xpack security since we're going to use ReadonlyREST for the same purpose.

ReadonlyREST Config file

In the ReadonlyREST config file, I've created two access control rules: one for basic authentication and another for LDAP authentication.

The ldap_authentication rule handles LDAP authentication exclusively using the configured LDAP connector (here, ldap1). For authorization and granting access to users based on LDAP groups or individual users, you'll need to configure the ldap_authorization rule. For more information regarding this, refer to the ReadonlyREST docs.

Customizing Docker image for Kibana

Just as we customized Elasticsearch, we need to customize Kibana as well. First, we'll install the ReadonlyREST plugin and then apply a patch

To ensure that Kibana successfully connects to Elasticsearch, we need to adjust some of the Kibana configurations using the kibana.yml file that we copied in the previous Dockerfile. The variables ${ES_VERSION}, ${KIBANA_USERNAME}, and ${KIBANA_PASSWORD} will be passed from environment variables

Integrating everything together with Docker compose

Now, we'll integrate Elasticsearch and Kibana together using Docker Compose. First, create two folders: elasticsearch and kibana, and place all the configuration files, Dockerfile, and .env file in their respective folders. Then, create a docker-compose.yml file in the root folder and add the following contents:

Ensure that you replace ${TEST_USERNAME} and ${TEST_PASSWORD} in the healthcheck section of the Dockerfile. Alternatively, you can dynamically pass them using an .env file while running the command: docker compose --env-file path/to/file up --build -d.

Conclusion

In conclusion, integrating LDAP authentication with Elasticsearch and Kibana using Docker, along with the ReadonlyREST plugin, provides a powerful security solution for organizations seeking to enhance access control and authentication mechanisms within their Elasticsearch and Kibana environments. By customizing Docker images for Elasticsearch and Kibana, you can install the ReadonlyREST plugin and configure LDAP settings to seamlessly integrate LDAP authentication. This plugin extends beyond LDAP and provides several features like SAML, HTTPS, etc. Overall, it's a great plugin to use.