From 68fc426ba3442546a93ff185db8cf4f58df5314f Mon Sep 17 00:00:00 2001
From: Kieran <kieranward23@gmail.com>
Date: Sat, 9 May 2026 18:27:45 +0100
Subject: [PATCH] Added example configuration for Elasticsearch + Kibanna

---
 example_configs/README.md        |  1 +
 example_configs/elasticsearch.md | 56 ++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 example_configs/elasticsearch.md

diff --git a/example_configs/README.md b/example_configs/README.md
index ca05475..e22db14 100644
--- a/example_configs/README.md
+++ b/example_configs/README.md
@@ -19,6 +19,7 @@ configuration files:
 - [Dolibarr](dolibarr.md)
 - [Duo Auth Proxy](duo_auth_proxy.md)
 - [Ejabberd](ejabberd.md)
+- [Elasticsearch](elasticsearch.md)
 - [Emby](emby.md)
 - [Ergo IRCd](ergo.md)
 - [Gerrit](gerrit.md)
diff --git a/example_configs/elasticsearch.md b/example_configs/elasticsearch.md
new file mode 100644
index 0000000..f8f923b
--- /dev/null
+++ b/example_configs/elasticsearch.md
@@ -0,0 +1,56 @@
+# Elasticsearch configuration
+
+> ⚠️ Configuring Elasticsearch to use LDAP auth requires a paid licence. Only the `default` and `file` realms are enabled on a Basic licence.
+
+This basic configuration example is for LLDAP auth on [Elastic Cloud on Kubernetes (ECK)](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s). Advanced configuration can be found in the [Elastic docs](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/ldap).
+
+## Elasticsearch
+
+To perform auth using LLDAP in Elasticsearch, add the following lines to the Elasticsearch spec:
+
+```yaml
+spec:
+  nodesets:
+    - name: elasticsearch
+      config:
+        xpack.security.authc.realms.ldap:
+          ldap1:
+            order: 1
+            enabled: true
+            url: "ldap://<ip.of.lldap.instance>:3890"
+            user_dn_templates:
+              - "uid={0},ou=people,dc=example,dc=com"
+            bind_dn: "uid=admin,ou=people,dc=example,dc=com"
+            group_search:
+              base_dn: "ou=groups,dc=example,dc=com"
+            unmapped_groups_as_roles: false
+  secureSettings:
+    - secretName: elasticsearch-keystore-values
+```
+
+Then, create a secret called `elasticsearch-keystore-values`:
+
+```yaml
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: elasticsearch-keystore-values
+  namespace: elastic
+data:
+  xpack.security.authc.realms.ldap.ldap1.secure_bind_password: base64_encoded_ldap_admin_password
+```
+
+## Kibana
+
+To allow Kibana to auth logins using LLDAP, add the following lines to the Kibana spec:
+
+```yaml
+spec:
+  config:
+    xpack.security.authc.providers:
+      basic.ldap1:
+        order: 0
+```
+
+Unless doing additional manifest configuration to automatically map, you will need to create a role mapping between an LLDAP role and an Elasticsearch role (e.g. `superuser`). This can be done by logging in using the default `elastic` user created during cluster init and then creating a role mapping in Stack Management. Once created, you will be able to login using LLDAP auth.
\ No newline at end of file