Skip to content

Add support for RDN attribute name matching to PKI realm. #137931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add support for RDN attribute name matching to PKI realm. #137931

wants to merge 2 commits into from

Conversation

@ebarlas
Copy link
Contributor

@ebarlas ebarlas commented Nov 11, 2025
edited
Loading

This change adds configuration options to the PKI Realm for principal extraction from the client certificate based on a relative distinguished name (RDN) attribute value.

The following Elasticsearch YAML configuration options is included:

  • username_rdn_name - the RDN attribute name to use, e.g. CN

The implementation is based on text parsing of the RFC 2253 formatted text of the X500 distinguished name using the UnboundID LDAP SDK library.

Caveat: this approach only supports standard LDAP attribute types, such as CN, O, OU, UID, etc.

Non-LDAP extensions, such as EMAILADDRESS, and custom OIDs are not supported.

Examples:

DN Name Value
CN=John Doe, OU=Security Team, OU=Engineering, O=Elastic CN John Doe
UID=abc123, OU=Security Team, OU=Engineering, O=Elastic UID abc123
UID=abc123, OU=Security Team, OU=Engineering, O=Elastic CN -

@ebarlas ebarlas mentioned this pull request Nov 11, 2025
Open
@ebarlas ebarlas self-assigned this Nov 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ebarlas ebarlas

Labels

v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ebarlas @elasticsearchmachine