diff --git a/_security-plugin/configuration/ldap.md b/_security-plugin/configuration/ldap.md index 398e350bed..83db52ddb8 100755 --- a/_security-plugin/configuration/ldap.md +++ b/_security-plugin/configuration/ldap.md @@ -426,12 +426,15 @@ If you don't use or have a role subtree, you can disable the role search complet rolesearch_enabled: false ``` +## Advanced settings -### (Advanced) Control LDAP user attributes +The advanced settings presented below are optional for an essential LDAP configuration. They can, however, improve efficiency, performance, and security for the LDAP implementation. + +### Control LDAP user attributes By default, the security plugin reads all LDAP user attributes and makes them available for index name variable substitution and DLS query variable substitution. If your LDAP entries have a lot of attributes, you might want to control which attributes should be made available. The fewer the attributes, the better the performance. -Note that this setting is made in the authentication `authc` section of the config.yml file. +Note that this setting is made in the `authc` section of the config.yml file. Name | Description :--- | :--- @@ -455,8 +458,7 @@ authc: ... ``` - -### (Advanced) Exclude certain users from role lookup +### Exclude certain users from role lookup If you are using multiple authentication methods, it can make sense to exclude certain users from the LDAP role lookup. @@ -473,10 +475,9 @@ skip_users: - '/\S*/' ``` +### Exclude roles from nested role lookups -### (Advanced) Exclude roles from nested role lookups - -If the users in your LDAP installation have a large number of roles, and you have the requirement to resolve nested roles as well, you might run into performance issues. +If the users in your LDAP installation are mapped to a large number of roles and you have requirements to resolve nested roles, you might encounter performance issues. In most cases, however, not all user roles are related to OpenSearch and OpenSearch Dashboards. You might need only a couple of roles. In this case, you can use the nested role filter feature to define a list of roles that are filtered out from the list of the user's roles. Wildcards and regular expressions are supported. @@ -488,7 +489,6 @@ nested_role_filter: - ... ``` - ### Configuration summary Name | Description @@ -506,7 +506,6 @@ Name | Description `custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution. `custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36. - ### Complete authorization example ```yml @@ -540,9 +539,9 @@ authz: - '/\S*/' ``` -### (Advanced) Configuring multiple user and role bases +### Configuring multiple user and role bases -To configure multiple user bases in the authc and/or authz section, use the following syntax: +To configure multiple user bases in the `authc` or `authz` section, use the following syntax: ```yml ... @@ -641,3 +640,33 @@ authz: rolename: cn resolve_nested_roles: true ``` + +### Connection pooling settings + +OpenSearch can maintain a pool of connections at the ready, assigning them when needed and returning them to the pool after a connection is closed. This arrangement can lower demands on the resources used to create connections, improve OpenSearch performance, and reduce load on the server. You can use the settings below to control the way connection pooling is carried out. + +Name | Description +:--- | :--- +`pool.enabled` | Enables connection pooling. Set to `true` to enable. +`pool.min_size` | Size of the pool at initialization. Also used as a lower limit when pruning. +`pool.max_size` | Maximum size the pool can reach. +`pool.pruning_period` | The interval in minutes at which the pruning implementation is executed. For example: when 5, the implementation is executed every five minutes. By default, the period is 5. +`pool.idle_time` | The length of time elapsed, in minutes, after a connnection is considered idle. Once elapsed, the connection becomes a candidate for pruning from the pool. By default, idle time is 10. + +Connection pooling settings are added to the `authc` section of the configuration. + +```yml +authc: + ldap: + http_enabled: true + transport_enabled: true + authentication_backend: + type: ldap + config: + pool.enabled: true + pool.min_size: 5 + pool.max_size: 12 + pool.pruning_period: 5 + pool.idle_time: 15 +``` +