Implement LDAP integration for Kibana

Implement-blueprint: ldap-integration-in-stacklight Change-Id: I838c84333feab7828adda0dfc731a8582287f83d
2016-06-28 12:36:55 +02:00 · 2016-06-28 12:36:55 +02:00 · e19d42b190
parent 5d742d2ff2
commit e19d42b190
9 changed files with 532 additions and 26 deletions
--- a/deployment_scripts/puppet/manifests/firewall.pp
+++ b/deployment_scripts/puppet/manifests/firewall.pp
@ -14,6 +14,8 @@

 notice('fuel-plugin-elasticsearch-kibana: firewall.pp')

+$authnz = hiera_hash('lma::kibana::authnz')
+
 class {'::firewall':}

 firewall { '000 accept all icmp requests':
@ -80,6 +82,14 @@ firewall { '101 proxy-kibana':
  action => 'accept',
 }

+if $authnz['ldap_authorization_enabled'] {
+  firewall { '101 proxy-kibana-viewer':
+    port   => hiera('lma::elasticsearch::kibana_frontend_viewer_port'),
+    proto  => 'tcp',
+    action => 'accept',
+  }
+}
+
 firewall { '999 drop all other requests':
  proto  => 'all',
  chain  => 'INPUT',
--- a/deployment_scripts/puppet/manifests/haproxy.pp
+++ b/deployment_scripts/puppet/manifests/haproxy.pp
@ -16,7 +16,9 @@ notice('fuel-plugin-elasticsearch-kibana: haproxy.pp')

 $es_port = hiera('lma::elasticsearch::rest_port')
 $kibana_backend_port = hiera('lma::elasticsearch::apache_port')
+$kibana_backend_viewer_port = hiera('lma::elasticsearch::apache_viewer_port')
 $kibana_frontend_port = hiera('lma::elasticsearch::kibana_frontend_port')
+$kibana_frontend_viewer_port = hiera('lma::elasticsearch::kibana_frontend_viewer_port')
 $vip = hiera('lma::elasticsearch::vip')

 $nodes_ips = hiera('lma::elasticsearch::nodes')
@ -45,6 +47,7 @@ openstack::ha::haproxy_service { $es_haproxy_service:
 }

 $kibana_tls = hiera_hash('lma::kibana::tls')
+$authnz = hiera_hash('lma::kibana::authnz')
 if $kibana_tls['enabled'] {
  openstack::ha::haproxy_service { 'kibana':
    order                  => '921',
@ -59,6 +62,22 @@ if $kibana_tls['enabled'] {
      'mode'    => 'http',
    },
  }
+  if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] {
+    openstack::ha::haproxy_service { 'kibana-viewer':
+      order                  => '922',
+      internal_ssl           => true,
+      internal_ssl_path      => $kibana_tls['cert_file_path'],
+      listen_port            => $kibana_frontend_viewer_port,
+      balancermember_port    => $kibana_backend_viewer_port,
+      balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
+      haproxy_config_options => {
+        'option'  => ['httplog', 'http-keep-alive', 'prefer-last-server', 'dontlog-normal'],
+        'balance' => 'roundrobin',
+        'mode'    => 'http',
+      },
+    }
+  }
+
 } else {
  openstack::ha::haproxy_service { 'kibana':
    order                  => '921',
@ -71,4 +90,17 @@ if $kibana_tls['enabled'] {
      'mode'    => 'http',
    }
  }
+  if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] {
+    openstack::ha::haproxy_service { 'kibana-viewer':
+      order                  => '922',
+      listen_port            => $kibana_frontend_viewer_port,
+      balancermember_port    => $kibana_backend_viewer_port,
+      balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
+      haproxy_config_options => {
+        'option'  => ['httplog', 'http-keep-alive', 'prefer-last-server', 'dontlog-normal'],
+        'balance' => 'roundrobin',
+        'mode'    => 'http',
+      }
+    }
+  }
 }
--- a/deployment_scripts/puppet/manifests/hiera_override.pp
+++ b/deployment_scripts/puppet/manifests/hiera_override.pp
@ -90,7 +90,29 @@ if $tls_enabled {
    content => $elasticsearch_kibana['kibana_ssl_cert']['content'],
    require => File[$cert_dir]
  }
+}

+$ldap_enabled = $elasticsearch_kibana['ldap_enabled'] or false
+$ldap_protocol              = $elasticsearch_kibana['ldap_protocol']
+$ldap_servers               = split($elasticsearch_kibana['ldap_servers'], '\s+')
+$ldap_bind_dn               = $elasticsearch_kibana['ldap_bind_dn']
+$ldap_bind_password         = $elasticsearch_kibana['ldap_bind_password']
+$ldap_user_search_base_dns  = $elasticsearch_kibana['ldap_user_search_base_dns']
+$ldap_user_search_filter    = $elasticsearch_kibana['ldap_user_search_filter']
+$ldap_user_attribute        = $elasticsearch_kibana['ldap_user_attribute']
+$ldap_authorization_enabled = $elasticsearch_kibana['ldap_authorization_enabled'] or false
+$ldap_group_attribute       = $elasticsearch_kibana['ldap_group_attribute']
+$ldap_admin_group_dn        = $elasticsearch_kibana['ldap_admin_group_dn']
+$ldap_viewer_group_dn       = $elasticsearch_kibana['ldap_viewer_group_dn']
+
+if empty($elasticsearch_kibana['ldap_server_port']) {
+  if downcase($ldap_protocol) == 'ldap' {
+    $ldap_port = 389
+  } else {
+    $ldap_port = 636
+  }
+} else {
+  $ldap_port = $elasticsearch_kibana['ldap_server_port']
 }

 $calculated_content = inline_template('
@ -102,7 +124,9 @@ lma::elasticsearch::vip: <%= @vip %>
 lma::elasticsearch::es_haproxy_service: elasticsearch-rest
 lma::elasticsearch::listen_address: <%= @listen_address%>
 lma::elasticsearch::kibana_frontend_port: 80
+lma::elasticsearch::kibana_frontend_viewer_port: 81
 lma::elasticsearch::apache_port: 80
+lma::elasticsearch::apache_viewer_port: 81
 lma::elasticsearch::kibana_port: 5601
 lma::elasticsearch::kibana_index: .kibana
 lma::elasticsearch::rest_port: 9200
@ -128,8 +152,29 @@ lma::kibana::tls:
    hostname: <%= @kibana_hostname %>
    cert_file_path: <%= @cert_file_path %>
 <% end -%>
-lma::kibana::username: <%= @elasticsearch_kibana["kibana_username"] %>
-lma::kibana::password: <%= @elasticsearch_kibana["kibana_password"] %>
+lma::kibana::authnz:
+    username: <%= @elasticsearch_kibana["kibana_username"] %>
+    password: <%= @elasticsearch_kibana["kibana_password"] %>
+    ldap_enabled: <%= @ldap_enabled %>
+    ldap_authorization_enabled: <%= @ldap_authorization_enabled %>
+<% if @ldap_enabled -%>
+    ldap_servers:
+<% @ldap_servers.each do |s| -%>
+        - "<%= s %>"
+<% end -%>
+    ldap_protocol: <%= @ldap_protocol %>
+    ldap_port: <%= @ldap_port %>
+    ldap_bind_dn: <%= @ldap_bind_dn %>
+    ldap_bind_password: <%= @ldap_bind_password %>
+    ldap_user_search_base_dns: <%= @ldap_user_search_base_dns %>
+    ldap_user_attribute: <%= @ldap_user_attribute %>
+    ldap_user_search_filter: <%= @ldap_user_search_filter %>
+    ldap_group_attribute: <%= @ldap_group_attribute %>
+<% if @ldap_authorization_enabled -%>
+    ldap_admin_group_dn: <%= @ldap_admin_group_dn %>
+    ldap_viewer_group_dn: <%= @ldap_viewer_group_dn %>
+<% end -%>
+<% end -%>
 ')

 file { $hiera_file:
--- a/deployment_scripts/puppet/manifests/kibana.pp
+++ b/deployment_scripts/puppet/manifests/kibana.pp
@ -22,12 +22,27 @@ class { 'lma_logging_analytics::kibana':
  version        => '4.5.1',
 }

+$authnz = hiera_hash('lma::kibana::authnz')
 class { 'lma_logging_analytics::kibana_authentication':
-  listen_address => hiera('lma::elasticsearch::listen_address'),
-  listen_port    => hiera('lma::elasticsearch::apache_port'),
-  kibana_address => '127.0.0.1',
-  kibana_port    => hiera('lma::elasticsearch::kibana_port'),
-  username       => hiera('lma::kibana::username'),
-  password       => hiera('lma::kibana::password'),
-  require        => Class[lma_logging_analytics::kibana],
+  listen_address             => hiera('lma::elasticsearch::listen_address'),
+  listen_port                => hiera('lma::elasticsearch::apache_port'),
+  kibana_address             => '127.0.0.1',
+  kibana_port                => hiera('lma::elasticsearch::kibana_port'),
+  username                   => $authnz['username'],
+  password                   => $authnz['password'],
+  ldap_enabled               => $authnz['ldap_enabled'],
+  ldap_protocol              => $authnz['ldap_protocol'],
+  ldap_port                  => $authnz['ldap_port'],
+  ldap_servers               => $authnz['ldap_servers'],
+  ldap_bind_dn               => $authnz['ldap_bind_dn'],
+  ldap_bind_password         => $authnz['ldap_bind_password'],
+  ldap_user_search_base_dns  => $authnz['ldap_user_search_base_dns'],
+  ldap_user_search_filter    => $authnz['ldap_user_search_filter'],
+  ldap_user_attribute        => $authnz['ldap_user_attribute'],
+  ldap_authorization_enabled => $authnz['ldap_authorization_enabled'],
+  listen_port_viewer         => hiera('lma::elasticsearch::apache_viewer_port'),
+  ldap_group_attribute       => $authnz['ldap_group_attribute'],
+  ldap_admin_group_dn        => $authnz['ldap_admin_group_dn'],
+  ldap_viewer_group_dn       => $authnz['ldap_viewer_group_dn'],
+  require                    => Class[lma_logging_analytics::kibana],
 }
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
@ -21,12 +21,59 @@ class lma_logging_analytics::kibana_authentication (
  $kibana_address,
  $username,
  $password,
+  $ldap_enabled = false,
+  $ldap_protocol = undef,
+  $ldap_servers = [],
+  $ldap_port = undef,
+  $ldap_bind_dn = undef,
+  $ldap_bind_password = undef,
+  $ldap_user_search_base_dns = undef,
+  $ldap_user_search_filter = undef,
+  $ldap_user_attribute = undef,
+  $ldap_authorization_enabled = false,
+  $listen_port_viewer = undef,
+  $ldap_group_attribute = undef,
+  $ldap_admin_group_dn = undef,
+  $ldap_viewer_group_dn = undef,
 ) {

  include lma_logging_analytics::params

-  $apache_modules = ['proxy', 'proxy_http', 'rewrite',
-                    'authn_file', 'auth_basic', 'authz_user']
+  validate_integer($listen_port)
+  validate_integer($kibana_port)
+
+  $default_apache_modules = ['proxy', 'proxy_http', 'rewrite',
+    'authn_file', 'auth_basic', 'authz_user']
+
+  if $ldap_enabled {
+    if empty($ldap_servers) {
+      fail('ldap_servers list parameter is empty')
+    }
+    if ! $ldap_port { fail('Missing ldap_port parameter')}
+    if ! $ldap_protocol { fail('Missing ldap_protocol parameter')}
+    if ! $ldap_bind_dn { fail('Missing ldap_bind_dn parameter')}
+    if ! $ldap_bind_password { fail('Missing ldap_bind_password parameter')}
+    if ! $ldap_user_search_base_dns { fail('Missing ldap_user_search_base_dns parameter')}
+    if ! $ldap_user_search_filter { fail('Missing ldap_user_search_filter parameter')}
+    if ! $ldap_user_attribute { fail('Missing ldap_user_attribute parameter')}
+
+    if $ldap_authorization_enabled {
+      if ! $ldap_group_attribute {fail('Missing ldap_group_attribute parameter')}
+      if ! $ldap_admin_group_dn {fail('Missing ldap_admin_group_dn parameter')}
+      if ! $ldap_viewer_group_dn {fail('Missing ldap_viewer_group_dn parameter')}
+      if ! $listen_port_viewer {fail('Missing listen_port_viewer parameter')}
+
+      validate_integer($listen_port_viewer)
+    }
+    $apache_modules = concat($default_apache_modules, ['ldap', 'authnz_ldap'])
+
+    # LDAP url is used by apache::custom_config
+    $ldap_urls = suffix($ldap_servers, ":${ldap_port}/${ldap_user_search_base_dns}?${ldap_user_attribute}?sub?${ldap_user_search_filter}")
+
+    $ldap_url = join($ldap_urls, ' ')
+  } else {
+    $apache_modules = $default_apache_modules
+  }

  ## Configure apache
  class { 'apache':
@ -55,8 +102,20 @@ class lma_logging_analytics::kibana_authentication (
    require => Class[Apache],
  }

-  apache::custom_config { 'kibana-proxy':
-    content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
-    require => [Class['apache'], File[$htpasswd_file]],
+  if $ldap_authorization_enabled {
+    apache::custom_config { 'kibana-proxy':
+      content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
+      require => [Class['apache'], File[$htpasswd_file]],
+    }
+    apache::listen { "${listen_address}:${listen_port_viewer}": }
+    apache::custom_config { 'kibana-proxy-viewer':
+      content => template('lma_logging_analytics/apache_kibana_proxy_viewer.conf.erb'),
+      require => [Class['apache'], File[$htpasswd_file]],
+    }
+  } else {
+    apache::custom_config { 'kibana-proxy':
+      content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
+      require => [Class['apache'], File[$htpasswd_file]],
+    }
  }
 }
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb
@ -20,18 +20,115 @@ describe 'lma_logging_analytics::kibana_authentication' do
         :concat_basedir => '/foo' }
    end

-    let(:params) do
-        {:listen_address => '127.0.0.1', :listen_port => 80,
-         :kibana_address  => '127.0.0.1', :kibana_port => 5106,
-         :username => 'foouser', :password => 'foopass'
+    describe 'default parameters' do
+        let(:params) do
+            {:listen_address => '127.0.0.1', :listen_port => 80,
+             :kibana_address  => '127.0.0.1', :kibana_port => 5106,
+             :username => 'foouser', :password => 'foopass'
+            }
+        end
+
+        it {
+          should contain_class('apache')
+          should contain_apache__custom_config('kibana-proxy')
+          should contain_htpasswd('foouser')
+          should contain_file('/etc/apache2/kibana.htpasswd')
+        }
+    end
+    describe 'ldap parameters' do
+        let(:params) do
+            {:listen_address => '127.0.0.1', :listen_port => 80,
+             :kibana_address  => '127.0.0.1', :kibana_port => 5106,
+             :username => 'foouser', :password => 'foopass',
+             :ldap_enabled => true,
+             :ldap_protocol => 'ldap',
+             :ldap_port => 389,
+             :ldap_servers => ['ldap.foo.fr'],
+             :ldap_bind_dn => 'cn=admin,dc=example,dc=com',
+             :ldap_bind_password => 'foopass',
+             :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
+             :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
+             :ldap_user_attribute => 'uid',
+            }
+        end
+
+        it {
+          should contain_class('apache')
+          should contain_apache__custom_config('kibana-proxy')
+          should contain_htpasswd('foouser')
+          should contain_file('/etc/apache2/kibana.htpasswd')
+        }
+    end
+    describe 'ldap parameters are missing' do
+        let(:params) do
+            {:listen_address => '127.0.0.1', :listen_port => 80,
+             :kibana_address  => '127.0.0.1', :kibana_port => 5106,
+             :username => 'foouser', :password => 'foopass',
+             :ldap_enabled => true,
+             :ldap_protocol => 'ldap',
+             :ldap_port => 389,
+             :ldap_servers => ['ldap.foo.fr'],
+             :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
+             :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
+             :ldap_user_attribute => 'uid',
+            }
+        end
+
+        it { is_expected.to raise_error(Puppet::Error, /Missing ldap_/) }
+    end
+
+    describe 'ldap parameters with authorization' do
+        let(:params) do
+            {:listen_address => '127.0.0.1', :listen_port => 80,
+             :kibana_address  => '127.0.0.1', :kibana_port => 5106,
+             :username => 'foouser', :password => 'foopass',
+             :ldap_enabled => true,
+             :ldap_protocol => 'ldap',
+             :ldap_port => 389,
+             :ldap_servers => ['ldap.foo.fr'],
+             :ldap_bind_dn => 'cn=admin,dc=example,dc=com',
+             :ldap_bind_password => 'foopass',
+             :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
+             :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
+             :ldap_user_attribute => 'uid',
+             :ldap_authorization_enabled => true,
+             :listen_port_viewer => 81,
+             :ldap_group_attribute => 'memberUid',
+             :ldap_admin_group_dn => 'cn=admin_group,dc=example,dc=com',
+             :ldap_viewer_group_dn => 'cn=viewer_group,dc=example,dc=com',
+            }
+        end
+
+        it {
+          should contain_class('apache')
+          should contain_apache__custom_config('kibana-proxy')
+          should contain_htpasswd('foouser')
+          should contain_file('/etc/apache2/kibana.htpasswd')
        }
    end

-    it {
-      should contain_class('apache')
-      should contain_apache__custom_config('kibana-proxy')
-      should contain_htpasswd('foouser')
-      should contain_file('/etc/apache2/kibana.htpasswd')
-    }
+    describe 'ldap parameters with authorization missing' do
+        let(:params) do
+            {:listen_address => '127.0.0.1', :listen_port => 80,
+             :kibana_address  => '127.0.0.1', :kibana_port => 5106,
+             :username => 'foouser', :password => 'foopass',
+             :ldap_enabled => true,
+             :ldap_protocol => 'ldap',
+             :ldap_port => 389,
+             :ldap_servers => ['ldap.foo.fr'],
+             :ldap_bind_dn => 'cn=admin,dc=example,dc=com',
+             :ldap_bind_password => 'foopass',
+             :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
+             :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
+             :ldap_user_attribute => 'uid',
+             :ldap_authorization_enabled => true,
+             #:ldap_group_attribute => 'memberUid',
+             #:ldap_admin_group_dn => 'cn=admin_group,dc=example,dc=com',
+             #:ldap_viewer_group_dn => 'cn=viewer_group,dc=example,dc=com',
+            }
+        end
+
+        it { is_expected.to raise_error(Puppet::Error, /Missing/) }
+    end
 end

--- a/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb
@ -15,14 +15,32 @@
    AuthName "Kibana Access"
    AuthType Basic
    AuthUserFile <%= @htpasswd_file %>
+<% if @ldap_enabled -%>
+    AuthBasicProvider file ldap
+    AuthLDAPURL "<%= @ldap_protocol %>://<%= @ldap_url %>"
+    AuthLDAPBindDN "<%= @ldap_bind_dn %>"
+    AuthLDAPBindPassword <%= @ldap_bind_password %>
+<% if @ldap_authorization_enabled -%>
+    AuthLDAPGroupAttribute <%= @ldap_group_attribute %>
+    AuthLDAPGroupAttributeIsDN off
+    AuthBasicAuthoritative on
+    <RequireAny>
+    require user <%= @username %>
+    Require ldap-group <%= @ldap_admin_group_dn %>
+    </RequireAny>
+<% else -%>
    require valid-user
+<% end -%>
+<% else -%>
+    require valid-user
+<% end -%>
  </Proxy>

  ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %>
  ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %>
  RewriteEngine on
-  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
-  RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA]
+  # Passthrough the request to Kibana with the orginal query string
+  RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA,L]

  ErrorLog "/var/log/apache2/kibana_error.log"
  ServerSignature Off
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb
@ -0,0 +1,56 @@
+# ************************************
+# Vhost template in module lma_logging_analytics
+# Managed by Puppet
+# ************************************
+
+<VirtualHost <%= @listen_address %>:<%= @listen_port_viewer %>>
+  ServerName kibana
+  DocumentRoot "/opt/kibana"
+
+  ProxyRequests Off
+
+  <Proxy *>
+    Order Allow,Deny
+    Allow From All
+    AuthName "Kibana Access"
+    AuthType Basic
+    AuthUserFile <%= @htpasswd_file %>
+<% if @ldap_enabled -%>
+    AuthBasicProvider file ldap
+    AuthLDAPURL "<%= @ldap_protocol %>://<%= @ldap_url %>"
+    AuthLDAPBindDN "<%= @ldap_bind_dn %>"
+    AuthLDAPBindPassword <%= @ldap_bind_password %>
+<% if @ldap_authorization_enabled -%>
+    AuthLDAPGroupAttribute <%= @ldap_group_attribute %>
+    AuthLDAPGroupAttributeIsDN off
+    AuthBasicAuthoritative on
+    <RequireAny>
+    require user <%= @username %>
+    Require ldap-group <%= @ldap_viewer_group_dn %>
+    Require ldap-group <%= @ldap_admin_group_dn %>
+    </RequireAny>
+<% else -%>
+    require valid-user
+<% end -%>
+<% else -%>
+    require valid-user
+<% end -%>
+  </Proxy>
+
+  ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %>
+  ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %>
+  RewriteEngine on
+  # Deleting is forbidden for viewers
+  RewriteCond %{REQUEST_METHOD} DELETE
+  RewriteRule .* - [F,L]
+  # Creation/update is forbidden for viewers
+  RewriteCond %{REQUEST_METHOD} POST
+  RewriteCond %{QUERY_STRING} op_type=create
+  RewriteRule .* - [F,L]
+  # Passthrough the request to Kibana with the orginal query string
+  RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA,L]
+
+  ErrorLog "/var/log/apache2/kibana_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/kibana_access.log" combined
+</VirtualHost>
--- a/environment_config.yaml
+++ b/environment_config.yaml
@ -139,3 +139,177 @@ attributes:
      - condition: "settings:elasticsearch_kibana.tls_enabled.value == false"
        action: "hide"
  # TLS Settings: END
+  # LDAP Settings: BEGIN
+  ldap_enabled:
+    value: false
+    label: 'Use LDAP for Kibana authentication'
+    description: ''
+    weight: 100
+    type: "checkbox"
+
+  ldap_protocol:
+    type: "radio"
+    value: 'ldap'
+    weight: 110
+    label: 'LDAP protocol'
+    values:
+      - data: "ldap"
+        label: "LDAP"
+      - data: "ldaps"
+        label: "LDAPS"
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+
+  ldap_servers:
+    value: ''
+    label: 'LDAP servers'
+    description: 'Specify one or several LDAP servers separated by space.'
+    weight: 120
+    type: "text"
+    regex:
+      source: '^\w[\w\-\s.]+$'
+      error: "You must provide a hostname or IP"
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+
+  ldap_server_port:
+    value: ''
+    label: 'Port'
+    description: 'If empty, the default value is 389 for LDAP and 636 for LDAPS.'
+    weight: 130
+    type: "text"
+    regex:
+        source: '^\d{0,5}$'
+        error: "You must provide a valid port number"
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+
+  ldap_bind_dn:
+    value: ''
+    label: 'Bind DN'
+    description: 'DN used to bind to the server when searching for entries.'
+    weight: 140
+    type: "text"
+    regex: &not_empty_parameter
+      source: '\S'
+      error: "Invalid value"
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+
+  ldap_bind_password:
+    value: ''
+    label: 'Bind password'
+    description: 'Password to use in conjunction with the bind DN.'
+    weight: 150
+    type: "password"
+    regex: *not_empty_parameter
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+
+  ldap_user_search_base_dns:
+    value: ''
+    label: 'User search base DN'
+    description: 'The base DN to search for users.'
+    weight: 160
+    type: "text"
+    regex: *not_empty_parameter
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+
+  ldap_user_attribute:
+    value: 'uid'
+    label: 'User attribute to search for'
+    description: "It's a good idea to choose an attribute that will be unique across all entries."
+    weight: 165
+    type: "text"
+    regex: *not_empty_parameter
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+
+  ldap_user_search_filter:
+    value: '(objectClass=*)'
+    label: 'User search filter'
+    description: 'A valid LDAP search filter.'
+    weight: 170
+    type: "text"
+    regex: *not_empty_parameter
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+
+  ldap_authorization_enabled:
+    value: false
+    label: 'Enable group-based authorization'
+    description: 'It allows to associate the users with the Admin or Viewer role. Otherwise all users are assigned to admin role.'
+    weight: 200
+    type: "checkbox"
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+
+  ldap_group_attribute:
+    value: 'memberUid'
+    label: 'LDAP group attribute'
+    description: 'LDAP attribute used to identify the user members of groups.'
+    weight: 205
+    type: "text"
+    regex: *not_empty_parameter
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+      - condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false"
+        action: disable
+
+  ldap_admin_group_dn:
+    value: ''
+    label: 'Group DN mapping to the Admins role'
+    description: ''
+    weight: 210
+    type: "text"
+    regex: *not_empty_parameter
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+      - condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false"
+        action: disable
+
+  ldap_viewer_group_dn:
+    value: ''
+    label: 'Group DN mapping to the Viewers role'
+    description: ''
+    weight: 220
+    type: "text"
+    regex: *not_empty_parameter
+    restrictions:
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: hide
+      - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+        action: disable
+      - condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false"
+        action: disable
+  # LDAP Settings: END