Free authentication integration of Kibana with LDAP using Apache Reverse Proxy and X-PACK enabled

3 min readSep 20, 2020

What?

Free authentication integration of Kibana with LDAP

Why?

The Elastic Stack is great, it covers many cases of data centralization, searching, and visualizations with its FREE basic subscription, when coming to sensitive data or whatever reason (for who cares), more security actions are needed like securing the access to this data.

When?

Starting from Elastic 6.3, X-PACK source code moved from private to a public repository (https://www.elastic.co/what-is/open-x-pack), now, we can take benefits from the “BASIC” of X-PACK features like security, alerting, monitoring, reporting, graph analytics, dedicated APM UIs, and machine learning (thanks Elastic)

At this level, we can create local users, groups, roles, and manage users’ access to indices, dashboards, and so on, but managing local users on each application is not suitable especially when you have many users.

The solution to that is to rely on an external authentication system like LDAP,

How?

To enable LDAP authentication on Elastic, we need to upgrade our subscription from basic to “Gold” to keep authentication and authorization at the same level, but this is not the objective of our article

Alternatively, we’re going to use the Apache webserver that supports LDAP based authentication and use it as a reverse proxy to Kibana, using this architecture present many issues that we’re going to fix some of them,

First is when you enable X-PACK and reverse proxy with LDAP, this provides two authentication forms, first, an apache basic authentication form, and second, Elastic local users authentication form, in the other hand, disabling X-PACK do not allow authorizations management inside of Elastic stack and all LDAP users will have the same authorization (admin), so we’re going to keep X-PACK enabled and resolve this by automating the authentication on Kibana by sending back the basic authorization authentication header to it, but also, this will break the relationship between authentication and authorization inside of Elastic stack, to resolve that, we need to flow certain user’s authorization accreditation strategy by crating users inside of Elastic with the same user ID as in LDAP with one password for all users so we can get the authenticated user from Apache variable and add to it to the unique password, below an architecture that resume this strategy,

Below is the configuration to do :

On Elasticsearch nodes, make sure X-PACK is enabled on (elasticsearch.yml)

Generate password for Elatic stack system users if it’s done yet

Make sure Kibana can connect to Elasticsearch

On Apache reverse proxy (httpd 2.4.10)

Conclusion

There are at least some of the disadvantages that I notice with this solution like Apache basic authentication that is saved on the browser cache makes the authentication process unstable due to users password changes on the LDAP, other thing, I was not able to handle the logout event if it caught the /logout and do a RequestHeader unset Authorization because of browser cache that keeps users connected, finally, I switched to a configuration with OIDC using Keycloak with what I resolved those issues, this is treated on my next article: https://mourad-hamza.medium.com/free-authentication-integration-of-kibana-with-oidc-and-ldap-using-keykloak-apache-reverse-proxy-946a9b652d84?sk=6965cb052defc042415083bdb5d5a3f7