Clarify user authentication methods not available for ECH (#1275)

### Description
Make it clear that LDAP, Active Directory and PKI is not configurable
for Elastic Cloud hosted environment.

### Background: 
- In an internal ticket (SDH - CP - 9505), we were guided by @beiske
that ECH doesn't support LDAP, but the public doc is not evident enough
for us to understand this fact
- We agreed that a doc PR to clarify this would be necessary

I also found Active Directory and PKI are the same that are not
applicable on ECH.
So I made a quick doc PR to make these related user authentication docs
clear.


### After PR is merged

The orange sections will be added


![image](https://github.com/user-attachments/assets/37637d8c-366f-4109-9359-219abe0eb0c0)

![image](https://github.com/user-attachments/assets/aa64b9f3-3ad0-42d3-86a2-773ef09cf722)

![image](https://github.com/user-attachments/assets/d2df7c04-0e54-4b68-ba0e-552282ec9bbe)

![image](https://github.com/user-attachments/assets/c3400d4b-33df-4168-befc-6548961cf0e0)


### Additional Notes

To doc team: Maybe we could also use `note` instead of `warning`. I
don't have strong opinion here. Would leave this to your capable hands
for decision 🙏

---------

Co-authored-by: Florent Le Borgne <[email protected]>

Author: kunisen

deploy-manage/users-roles/_snippets/external-realms.md

@@ -1,20 +1,20 @@
 ldap
-:   Uses an external LDAP server to authenticate the users. This realm supports an authentication token in the form of username and password, and requires explicit configuration in order to be used. See [LDAP user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md).
+:   Uses an external LDAP server to authenticate the users. This realm supports an authentication token in the form of username and password, and requires explicit configuration in order to be used. LDAP is not available on {{ech}} deployments. For more information, refer to [LDAP user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md).
 
 active_directory
-:   Uses an external Active Directory Server to authenticate the users. With this realm, users are authenticated by usernames and passwords. See [Active Directory user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md).
+:   Uses an external Active Directory Server to authenticate the users. With this realm, users are authenticated by usernames and passwords. Active Directory is not available on {{ech}} deployments. For more information, refer to [Active Directory user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md).
 
 pki
-:   Authenticates users using Public Key Infrastructure (PKI). This realm works in conjunction with SSL/TLS and identifies the users through the Distinguished Name (DN) of the client’s X.509 certificates. See [PKI user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md).
+:   Authenticates users using Public Key Infrastructure (PKI). This realm works in conjunction with SSL/TLS and identifies the users through the Distinguished Name (DN) of the client’s X.509 certificates. PKI is not available on {{ech}} deployments. For more information, refer to [PKI user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md).
 
 saml
-:   Facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through {{kib}} and is not intended for use in the REST API. See [SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md).
+:   Facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through {{kib}} and is not intended for use in the REST API. For more information, refer to [SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md).
 
 kerberos
-:   Authenticates a user using Kerberos authentication. Users are authenticated on the basis of Kerberos tickets. See [Kerberos authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kerberos.md).
+:   Authenticates a user using Kerberos authentication. Users are authenticated on the basis of Kerberos tickets. For more information, refer to [Kerberos authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kerberos.md).
 
 oidc
-:   Facilitates authentication using OpenID Connect. It enables {{es}} to serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO) support in {{kib}}. See [Configuring single sign-on to the {{stack}} using OpenID Connect](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md).
+:   Facilitates authentication using OpenID Connect. It enables {{es}} to serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO) support in {{kib}}. For more information, refer to [Configuring single sign-on to the {{stack}} using OpenID Connect](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md).
 
 jwt
-:   Facilitates using JWT identity tokens as authentication bearer tokens. Compatible tokens are OpenID Connect ID Tokens, or custom JWTs containing the same claims. See [JWT authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md).
+:   Facilitates using JWT identity tokens as authentication bearer tokens. Compatible tokens are OpenID Connect ID Tokens, or custom JWTs containing the same claims. For more information, refer to [JWT authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md).

deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md

@@ -12,6 +12,11 @@ navigation_title: "Active Directory"
 
 # Active Directory user authentication [active-directory-realm]
 
+:::{{warning}}
+This type of user authentication cannot be configured on {{ech}} deployments.
+:::
+
+
 You can configure {{stack}} {{security-features}} to communicate with Active Directory to authenticate users.
 
 :::{{tip}}

deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md

@@ -12,6 +12,10 @@ navigation_title: LDAP
 
 # LDAP user authentication [ldap-realm]
 
+:::{{warning}}
+This type of user authentication cannot be configured on {{ech}} deployments.
+:::
+
 You can configure the {{stack}} {{security-features}} to communicate with a Lightweight Directory Access Protocol (LDAP) server to authenticate users. See [Configuring an LDAP realm](../../../deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md#ldap-realm-configuration).
 
 To integrate with LDAP, you configure an `ldap` realm and map LDAP groups to user roles.
@@ -313,4 +317,4 @@ By default, when you configure {{es}} to connect to an LDAP server using SSL/TLS
 
 The LDAP security realm uses the {{kib}}-provided [basic authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md#basic-authentication) login form. Basic authentication is enabled by default.
 
-You can also use LDAP with [token authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md#token-authentication) in {{kib}}.
+You can also use LDAP with [token authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md#token-authentication) in {{kib}}.

deploy-manage/users-roles/cluster-or-deployment-auth/pki.md

@@ -10,6 +10,10 @@ applies_to:
 
 # PKI [pki-realm]
 
+:::{{warning}}
+This type of user authentication cannot be configured on {{ech}} deployments.
+:::
+
 You can configure {{es}} to use Public Key Infrastructure (PKI) certificates to authenticate users. In this scenario, clients connecting directly to {{es}} must present X.509 certificates. First, the certificates must be accepted for authentication on the SSL/TLS layer on {{es}}. Then they are optionally further validated by a PKI realm. See [PKI authentication for clients connecting directly to {{es}}](#pki-realm-for-direct-clients).
 
 You can also use PKI certificates to authenticate to {{kib}}, however this requires some additional configuration. On {{es}}, this configuration enables {{kib}} to act as a proxy for SSL/TLS authentication and to submit the client certificates to {{es}} for further validation by a PKI realm. See [PKI authentication for clients connecting to {{kib}}](#pki-realm-for-proxied-clients).