Only Kibana LDAP Authentication

we are trying to get LDAP authentication for Kibana.
Now I came across Readonlyrest, with its basic version this should be possible.
In my research it was described that the Kibana Readonly plugin and on the ElasticSearch servers the ElasticSearch Readonly plugin should be installed.

Now the following question arises for me.
I just want to get LDAP Authentication working for Kibana.
Do I still need to install the ElasticSearch plugins on all ElasticSearch servers, or is it enough in ElasticStack to just install the Kibana plugin on the Kibana node?

Here is my Kibana.yml so far. Is there anything else that needs to be customized for this?

server.port: … “…”
elasticsearch.hosts: “http://…:9200”
server.ssl.enabled: true
elasticsearch.ssl.verificationMode: none
logging.dest: /var/log/kibana/kibana.log
server.ssl.key: …
server.ssl.certificate: …

How shall the Readonlyrest-config look like for this requirement?
Is there anything else I should be aware of?

Hello @Frankdetank,
Yes you need both plugins to be installed at all times. You can download them in our download page autonomously.

You will need to install ROR in Elasticsearch and add the readonlyrest.yml file in the same directory with elasticsearch.yml.
The file will contain your ACL. Don’t forget to:

  • add an ACL block with static credentials for Kibana. For example:
    audit_collector: true
    - name: Kibana
      type: allow
      auth_key: kibana:kibana # <--- static credentials for kibana daemon
      verbosity: error

And add them to kibana.yml

elasticsearch.username: kibana
elasticsearch.password: kibana

Remember to disable xpack security from both Elasticsearch and Kibana, by adding this line to both kibana.yml and elasticsearch.yml false

Now add the external connector (LDAP) definition to the readonlyrest.yml. You can find an example in the docs. And the corresponding ACL block that exercises it.

If you have problems coming up with the right LDAP search strings, help yourself with verbose logging by putting Elasticsearch rootLogger in debug mode.

You should be good to go.