Skip to content

Commit

Permalink
Add connection pooling settings to LDAP documentation (opensearch-pro…
Browse files Browse the repository at this point in the history
…ject#1698)

* fix#1583-pooling-settings

Signed-off-by: cwillum <[email protected]>

* fix#1583-pooling-settings

Signed-off-by: cwillum <[email protected]>

* fix#1583-pooling-settings

Signed-off-by: cwillum <[email protected]>

* fix#1583-pooling-settings

Signed-off-by: cwillum <[email protected]>

* fix#1583-pooling-settings

Signed-off-by: cwillum <[email protected]>

* fix#1583-pooling-settings

Signed-off-by: cwillum <[email protected]>

* fix#1583-pooling-settings

Signed-off-by: cwillum <[email protected]>

Signed-off-by: cwillum <[email protected]>
  • Loading branch information
cwillum authored Oct 28, 2022
1 parent 4f783a6 commit 23d38ab
Showing 1 changed file with 40 additions and 11 deletions.
51 changes: 40 additions & 11 deletions _security-plugin/configuration/ldap.md
Original file line number Diff line number Diff line change
Expand Up @@ -426,12 +426,15 @@ If you don't use or have a role subtree, you can disable the role search complet
rolesearch_enabled: false
```

## Advanced settings

### (Advanced) Control LDAP user attributes
The advanced settings presented below are optional for an essential LDAP configuration. They can, however, improve efficiency, performance, and security for the LDAP implementation.

### Control LDAP user attributes

By default, the security plugin reads all LDAP user attributes and makes them available for index name variable substitution and DLS query variable substitution. If your LDAP entries have a lot of attributes, you might want to control which attributes should be made available. The fewer the attributes, the better the performance.

Note that this setting is made in the authentication `authc` section of the config.yml file.
Note that this setting is made in the `authc` section of the config.yml file.

Name | Description
:--- | :---
Expand All @@ -455,8 +458,7 @@ authc:
...
```


### (Advanced) Exclude certain users from role lookup
### Exclude certain users from role lookup

If you are using multiple authentication methods, it can make sense to exclude certain users from the LDAP role lookup.

Expand All @@ -473,10 +475,9 @@ skip_users:
- '/\S*/'
```

### Exclude roles from nested role lookups

### (Advanced) Exclude roles from nested role lookups

If the users in your LDAP installation have a large number of roles, and you have the requirement to resolve nested roles as well, you might run into performance issues.
If the users in your LDAP installation are mapped to a large number of roles and you have requirements to resolve nested roles, you might encounter performance issues.

In most cases, however, not all user roles are related to OpenSearch and OpenSearch Dashboards. You might need only a couple of roles. In this case, you can use the nested role filter feature to define a list of roles that are filtered out from the list of the user's roles. Wildcards and regular expressions are supported.

Expand All @@ -488,7 +489,6 @@ nested_role_filter:
- ...
```


### Configuration summary

Name | Description
Expand All @@ -506,7 +506,6 @@ Name | Description
`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution.
`custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36.


### Complete authorization example

```yml
Expand Down Expand Up @@ -540,9 +539,9 @@ authz:
- '/\S*/'
```

### (Advanced) Configuring multiple user and role bases
### Configuring multiple user and role bases

To configure multiple user bases in the authc and/or authz section, use the following syntax:
To configure multiple user bases in the `authc` or `authz` section, use the following syntax:

```yml
...
Expand Down Expand Up @@ -641,3 +640,33 @@ authz:
rolename: cn
resolve_nested_roles: true
```

### Connection pooling settings

OpenSearch can maintain a pool of connections at the ready, assigning them when needed and returning them to the pool after a connection is closed. This arrangement can lower demands on the resources used to create connections, improve OpenSearch performance, and reduce load on the server. You can use the settings below to control the way connection pooling is carried out.

Name | Description
:--- | :---
`pool.enabled` | Enables connection pooling. Set to `true` to enable.
`pool.min_size` | Size of the pool at initialization. Also used as a lower limit when pruning.
`pool.max_size` | Maximum size the pool can reach.
`pool.pruning_period` | The interval in minutes at which the pruning implementation is executed. For example: when 5, the implementation is executed every five minutes. By default, the period is 5.
`pool.idle_time` | The length of time elapsed, in minutes, after a connnection is considered idle. Once elapsed, the connection becomes a candidate for pruning from the pool. By default, idle time is 10.

Connection pooling settings are added to the `authc` section of the configuration.

```yml
authc:
ldap:
http_enabled: true
transport_enabled: true
authentication_backend:
type: ldap
config:
pool.enabled: true
pool.min_size: 5
pool.max_size: 12
pool.pruning_period: 5
pool.idle_time: 15
```

0 comments on commit 23d38ab

Please sign in to comment.