Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "Add connection pooling settings to LDAP documentation" #1762

Merged
merged 1 commit into from
Oct 28, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 11 additions & 40 deletions _security-plugin/configuration/ldap.md
Original file line number Diff line number Diff line change
Expand Up @@ -426,15 +426,12 @@ If you don't use or have a role subtree, you can disable the role search complet
rolesearch_enabled: false
```

## Advanced settings

The advanced settings presented below are optional for an essential LDAP configuration. They can, however, improve efficiency, performance, and security for the LDAP implementation.

### Control LDAP user attributes
### (Advanced) Control LDAP user attributes

By default, the security plugin reads all LDAP user attributes and makes them available for index name variable substitution and DLS query variable substitution. If your LDAP entries have a lot of attributes, you might want to control which attributes should be made available. The fewer the attributes, the better the performance.

Note that this setting is made in the `authc` section of the config.yml file.
Note that this setting is made in the authentication `authc` section of the config.yml file.

Name | Description
:--- | :---
Expand All @@ -458,7 +455,8 @@ authc:
...
```

### Exclude certain users from role lookup

### (Advanced) Exclude certain users from role lookup

If you are using multiple authentication methods, it can make sense to exclude certain users from the LDAP role lookup.

Expand All @@ -475,9 +473,10 @@ skip_users:
- '/\S*/'
```

### Exclude roles from nested role lookups

If the users in your LDAP installation are mapped to a large number of roles and you have requirements to resolve nested roles, you might encounter performance issues.
### (Advanced) Exclude roles from nested role lookups

If the users in your LDAP installation have a large number of roles, and you have the requirement to resolve nested roles as well, you might run into performance issues.

In most cases, however, not all user roles are related to OpenSearch and OpenSearch Dashboards. You might need only a couple of roles. In this case, you can use the nested role filter feature to define a list of roles that are filtered out from the list of the user's roles. Wildcards and regular expressions are supported.

Expand All @@ -489,6 +488,7 @@ nested_role_filter:
- ...
```


### Configuration summary

Name | Description
Expand All @@ -506,6 +506,7 @@ Name | Description
`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36.


### Complete authorization example

```yml
Expand Down Expand Up @@ -539,9 +540,9 @@ authz:
- '/\S*/'
```

### Configuring multiple user and role bases
### (Advanced) Configuring multiple user and role bases

To configure multiple user bases in the `authc` or `authz` section, use the following syntax:
To configure multiple user bases in the authc and/or authz section, use the following syntax:

```yml
...
Expand Down Expand Up @@ -640,33 +641,3 @@ authz:
rolename: cn
resolve_nested_roles: true
```

### Connection pooling settings

OpenSearch can maintain a pool of connections at the ready, assigning them when needed and returning them to the pool after a connection is closed. This arrangement can lower demands on the resources used to create connections, improve OpenSearch performance, and reduce load on the server. You can use the settings below to control the way connection pooling is carried out.

Name | Description
:--- | :---
`pool.enabled` | Enables connection pooling. Set to `true` to enable.
`pool.min_size` | Size of the pool at initialization. Also used as a lower limit when pruning.
`pool.max_size` | Maximum size the pool can reach.
`pool.pruning_period` | The interval in minutes at which the pruning implementation is executed. For example: when 5, the implementation is executed every five minutes. By default, the period is 5.
`pool.idle_time` | The length of time elapsed, in minutes, after a connnection is considered idle. Once elapsed, the connection becomes a candidate for pruning from the pool. By default, idle time is 10.

Connection pooling settings are added to the `authc` section of the configuration.

```yml
authc:
ldap:
http_enabled: true
transport_enabled: true
authentication_backend:
type: ldap
config:
pool.enabled: true
pool.min_size: 5
pool.max_size: 12
pool.pruning_period: 5
pool.idle_time: 15
```