Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.1.0

Describe the issue:

I am able to deploy the opensearch-values.yaml and opensearch-dashboards-values.yaml through argocd.

opensearch-values.yaml:
imagePullSecrets:

• name: logging-reg-jfrog

image:
repository:
tag: 2.13.0
pullPolicy: Always

persistence:
enabled: true
storageClass: “”
size: 30Gi
image:
imageTag: latest

sysctlInit:
enabled: true
image:
imageTag: latest
command: [“sysctl”, “-w”, “vm.max_map_count=262144”]
securityContext:
privileged: true

extraEnvs:

• name: DISABLE_INSTALL_DEMO_CONFIG
  value: “true”
• name: DISABLE_SECURITY_PLUGIN
  value: “false”
• name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
  valueFrom:
  secretKeyRef:
  name: opensearch-auth-secret
  key: password
• name: CLIENT_ID
  valueFrom:
  secretKeyRef:
  name: os-client-id-secret
  key: client-id
• name: CLIENT_SECRET
  valueFrom:
  secretKeyRef:
  name: os-client-id-secret
  key: client-secret

opensearchJavaOpts: “-Xms1g -Xmx1g”

securityConfig:
enabled: true
path: /usr/share/opensearch/config/opensearch-security

actionGroupsSecret: os-action-groups-secret

configSecret: os-config-secret
internalUsersSecret: os-internal-users-secret
rolesSecret: os-roles-secret
rolesMappingSecret: os-roles-mapping-secret
tenantsSecret: os-tenants-secret

extraVolumes:

• name: opensearch-tls
  secret:
  secretName: opensearch-tls

• name: saml-metadata
  secret:
  secretName: saml-metadata

extraVolumeMounts:

• name: opensearch-tls
  mountPath: /usr/share/opensearch/config/certs
  readOnly: true

• name: saml-metadata
  mountPath: /usr/share/opensearch/config/metadata_file.xml
  subPath: metadata_file.xml
  readOnly: true

config:

opensearch.yml: |
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: /usr/share/opensearch/config/certs/tls.crt
plugins.security.ssl.transport.pemkey_filepath: /usr/share/opensearch/config/certs/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/ca.crt
plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /usr/share/opensearch/config/certs/tls.crt
plugins.security.ssl.http.pemkey_filepath: /usr/share/opensearch/config/certs/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/ca.crt

plugins.security.nodes_dn:
  - "CN=opensearch-cluster-master.logging.svc.cluster.local"
  - "CN=opensearch-cluster-master"
  - "CN=opensearch-cluster-master.logging"
  - "CN=opensearch-cluster-master.logging.svc"

resources:
requests:
cpu: “500m”
memory: “2Gi”
limits:
cpu: “1”
memory: “4Gi”

opensearch-dashboards-values.yaml:

imagePullSecrets:

• name: logging-reg-jfrog

image:
repository:
tag: 2.13.0
pullPolicy: Always

replicaCount: 1

opensearchHosts: “opensearch-cluster-master.logging.svc.cluster.local:9200”

resources:
requests:
cpu: “100m”
memory: “512Mi”
limits:
cpu: “100m”
memory: “512Mi”

service:
type: ClusterIP
port: 5601

ingress:
enabled: true
ingressClassName: nginx

hosts:

• host: opensearch.int.app
  paths:
• path: /
  pathType: Prefix
  backend:
  service:
  name: opensearch-dashboards
  port:
  number: 5601
  tls:
• secretName: opensearch-dashboards-cert
  hosts:
• opensearch.

extraEnvs:

• name: OPENSEARCH_USERNAME
  valueFrom:
  secretKeyRef:
  name: opensearch-auth-secret
  key: username
• name: OPENSEARCH_PASSWORD
  valueFrom:
  secretKeyRef:
  name: opensearch-auth-secret
  key: password
• name: CLIENT_ID
  valueFrom:
  secretKeyRef:
  name: os-client-id-secret
  key: client-id
• name: CLIENT_SECRET
  valueFrom:
  secretKeyRef:
  name: os-client-id-secret
  key: client-secret

config:
opensearch_dashboards.yml: |
server.host: “0.0.0.0”
opensearch.hosts: [ “opensearch-cluster-master.logging.svc.cluster.local:9200” ]
opensearch.ssl.verificationMode: none
opensearch.username: “${OPENSEARCH_USERNAME}”
opensearch.password: “${OPENSEARCH_PASSWORD}”
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: [“saml”,“basicauth”]
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
server.xsrf.allowlist: [“/_opendistro/_security/saml/acs/idpinitiated”, “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: [“Private”, “Global”]

extraVolumes:

• name: opensearch-ca-cert
  secret:
  secretName: opensearch-tls

extraVolumeMounts:

• name: opensearch-ca-cert
  mountPath: /usr/share/opensearch-dashboards/config/certs
  readOnly: true

Configuration:

apiVersion: v1
kind: Secret
metadata:
name: os-config-secret
namespace: logging
type: Opaque
stringData:
config.yml: |-
_meta:
type: “config”
config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal

      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: /usr/share/opensearch/config/metadata_file.xml
              entity_id: "https://sts.windows.net/xxxx"
            sp:
              entity_id: "opster-ad-sso"
              acs: "https://opensearch.int.app.xxxx.com/_opendistro/_security/saml/acs"
            kibana_url: "https://opensearch.int.app.xxxx.com"
            # Use forum-recommended mapping:
            roles_key: http://schemas.xmlsoap.org/ws/2008/06/identity/claims/groups
            subject_key: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
            exchange_key: "f1348xxxx"
        authentication_backend:
          type: noop

Relevant Logs or Screenshots:

image1201×844 164 KB

Error: failed parsing SAML config
at SecurityClient.getSamlHeader (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/backend/opensearch_security_client.ts:212:15)
at processTicksAndRejections (node:internal/process/task_queues:95:5)
at /usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/saml/routes.ts:78:30
at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:174:44)
at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:140:50)
at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)
Edg/139.0.0.0",“referer”://opensearch.int.app.xxx.com/auth/saml/captureUrlFragment?nextUrl=%2F"},“res”:{“statusCode”:500,“responseTime”:77,“contentLength”:9},“message”:"GET /auth/saml/login?nextUrl=%2F&redirectHash=false 500 77ms - 9.0B”}
{“type”:“response”,“@timestamp”:"2025-09-02T12:22

hey @seshadri ,

If you see in your attributes and claims section these are added as groups and emailaddress, could you update them to point to these and check if you still have an issue.

subject_key: “emailaddress”
roles_key: “groups”

Leeroy.

Hi @Leeroy Just tried as suggested above and restarted the pods, and tried in private window, but still getting the same error and no impact.

{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}

image855×201 6.03 KB

Thanks
Seshadri

Hi @Leeroy Any thoughts? I am suspecting something with config.yml where I am referencing from secrets from my opensearch-values.yml and I doubt if it’s picking that proper.. when I checked the folder it exists from mount…
it would be great if can i get those templates which worked.. Please suggest.

Thanks
Seshadri

Hi @seshadri ,

Do you get the 500 before or after you see the Microsoft login? Are you sure the metadata_file: /usr/share/opensearch/config/metadata_file.xml exists in the pod and is correct? Have you tried using the URL instead?

When you say you restarted the pods, do you mean you allowed argo update the deploy and created new pods? Or just restarted? If so did you confirm the config changes in the pods?

A private window normally works fine when testing for myself, but you could also clear the cache. I normally keep a separate browser with cache turned off so every time I open for testing I have a clean instance to test.

Leeroy.

@seshadri

I also noticed in your

              entity_id: "https://sts.windows.net/xxxx"

you don’t have a ending / is this the case from redacting or is it the same in your config if so could you update it to be

              entity_id: "https://sts.windows.net/xxxx/"

Leeroy.

Hi @Leeroy I am getting 500 before Microsoft login itself.

I also tried with URL also but still the same issue.

Thanks
Seshadri

Hi @seshadri ,

Did you try with the trailing /? or was that just from refactoring? Share your now updated configs. Also do you have any roles, or roles_mappings configured?

Leeroy.

HI @Leeroy Thanks for your continuous support.
Yes I tried with trailing / also no difference..

It seems the issue with config.yml somehow I suspect it’s not picking correctly, instead it takes default config.json… I dont know why it’s not picking the config.yml correctly though it’s available in secrets and mounted to path correctly.. I checked by exec to path those configs from secrets exists…

I am reading at some place that people suggest to run secureadmin.sh from pod, I really have no clue why it’s required.. somehow this going complicate though followed the proper steps from document…

Probably someone for those it worked need to share thier template as samples…

Thanks
Seshadri

Hi Everyone - Could you suggest here please as I kind of blocked with saml integration with Azure due to the above reported 500 error and no clue what causing this behaviour.

Thanks
Seshadri

Hi @Leeroy Here are some logs which shows my config.yml bot being referred correctly, really no clue what am I missing here

kubectl exec -it opensearch-cluster-master-0 -n logging –
curl -u admin:admin123Secure!
–insecure
https://opensearch-cluster-master.logging.svc.cluster.local:9200/_plugins/_security/api/securityconfig | jq ‘.config.dynamic’
Defaulted container “opensearch” out of: opensearch, fsgroup-volume (init), sysctl (init), configfile (init)
parse error: Invalid numeric literal at line 1, column 10
^C

kubectl exec -it opensearch-cluster-master-0 -n logging –
curl -u admin:admin123Secure!
–insecure
https://opensearch-cluster-master.logging.svc.cluster.local:9200/_plugins/_security/api/securityconfig | jq ‘.config.dynamic.authc’
Defaulted container “opensearch” out of: opensearch, fsgroup-volume (init), sysctl (init), configfile (init)
parse error: Invalid numeric literal at line 1, column 10
kubectl exec -it opensearch-cluster-master-1 -n logging –
cat /usr/share/opensearch/config/opensearch-security/config.yml | head -20
Defaulted container “opensearch” out of: opensearch, fsgroup-volume (init), sysctl (init), configfile (init)
_meta:
type: “config”
config_version: 2

config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:

I am attaching here my yaml and configs here once again.. please check and suggest what am I missing..openseach-values.yaml:

imagePullSecrets:
  - name: logging-reg-jfrog

image:
  repository: xxxxct.jfrog.io/ops-docker/opensearchproject/opensearch
  tag: 2.13.0
  pullPolicy: Always

persistence:
  enabled: true
  storageClass: ""
  size: 30Gi
  image: xxxxct.jfrog.io/ops-docker/busybox
  imageTag: latest

# securityConfig:
#   config:
#     data:
#       config.yml: |-
#         _meta:
#           type: "config"
#           config_version: 2
#         config:
#           dynamic:
#             http:
#               anonymous_auth_enabled: false
#             authc:
#               basic_internal_auth_domain:
#                 description: "Authenticate via HTTP Basic against internal users database"
#                 http_enabled: true
#                 transport_enabled: true
#                 order: 0
#                 http_authenticator:
#                   type: basic
#                   challenge: false
#                 authentication_backend:
#                   type: intern
#               saml_auth_domain:
#                 http_enabled: true
#                 transport_enabled: false
#                 order: 1
#                 http_authenticator:
#                   type: saml
#                   challenge: true
#                   config:
#                     idp:
#                       metadata_file: /usr/share/opensearch/config/metadata_file.xml
#                       entity_id: "https://sts.windows.net/xxx/"
#                     sp:
#                       entity_id: "opster-ad-sso"
#                     kibana_url: "https://opensearch.int.app.xxxx.com"
#                     roles_key: "groups"
#                     subject_key: "emailaddress"
#                     exchange_key: "f1348312d973507aaa3a3673081237b7bbf02f0b6dd7b47a11b146fd30117eec"
#                 authentication_backend:
#                   type: noop

sysctlInit:
  enabled: true
  image: xxxxct.jfrog.io/ops-docker/busybox
  imageTag: latest
  command: ["sysctl", "-w", "vm.max_map_count=262144"]
  securityContext:
    privileged: true

extraEnvs:
  - name: DISABLE_INSTALL_DEMO_CONFIG
    value: "true"
  - name: DISABLE_SECURITY_PLUGIN
    value: "false"
  - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
    valueFrom:
      secretKeyRef:
        name: opensearch-auth-secret
        key: password
  - name: CLIENT_ID
    valueFrom:
      secretKeyRef:
        name: os-client-id-secret
        key: client-id
  - name: CLIENT_SECRET
    valueFrom:
      secretKeyRef:
        name: os-client-id-secret
        key: client-secret

opensearchJavaOpts: "-Xms1g -Xmx1g"

securityConfig:
  enabled: true
  path: /usr/share/opensearch/config/opensearch-security
  # actionGroupsSecret: os-action-groups-secret
  configSecret: os-config-secret
  internalUsersSecret: os-internal-users-secret
  rolesSecret: os-roles-secret
  rolesMappingSecret: os-roles-mapping-secret
  tenantsSecret: os-tenants-secret
#   admin:
#     secretName: opensearch-auth-secret
#     usernameKey: username
#     passwordKey: password
  # config:
  #   dynamic:
  #     http:
  #       anonymous_auth_enabled: false
  #     authc:
  #       basic_internal_auth_domain:
  #         description: "Authenticate via HTTP Basic against internal users database"
  #         http_enabled: true
  #         transport_enabled: true
  #         order: 0
  #         http_authenticator:
  #           type: basic
  #           challenge: false
  #         authentication_backend:
  #           type: internal
  #       openid_auth_domain:
  #         http_enabled: true
  #         transport_enabled: true
  #         order: 1
  #         http_authenticator:
  #           type: openid
  #           challenge: false
  #           config:
  #             subject_key: "email"
  #             roles_key: "groups"
  #             openid_connect_url: https://login.microsoftonline.com/xxxx/v2.0/.well-known/openid-configuration
  #             client_id: ${CLIENT_ID}
  #             client_secret: ${CLIENT_SECRET}
  #             scope: "openid profile email groups"
  #             # required_audience: "171c630c-455c-4072-b91f-ded7f665a01f"
  #         authentication_backend:
  #           type: noop
    # roles:
    #   all_access:
    #     cluster_permissions:
    #       - "*"
    #     index_permissions:
    #       - index_patterns:
    #           - "*"
    #         allowed_actions:
    #           - "*"
    #   test:        
    #     cluster_permissions:
    #       - "cluster_composite_ops"
    #     index_permissions:
    #       - index_patterns:
    #           - "*"
    #         allowed_actions:
    #           - "read"
    # roles_mapping:
    #   all_access:
    #     reserved: false
    #     hidden: false
    #     backend_roles:
    #       - "admin"
    #       - "test"
    #     description: "Maps admin to all_access"
    #   own_index:
    #     reserved: false
    #     users:
    #       - "*"
    #     description: "Allow full access to an index named like the username"

    #   logstash:
    #   reserved: false
    #   backend_roles:
    #     - "logstash"
    #     - "test"
      
    # internal_users:
    #   admin:
    #     hash: ""

extraVolumes:
  - name: opensearch-tls
    secret:
      secretName: opensearch-tls
  
  - name: saml-metadata
    secret:
      secretName: saml-metadata

extraVolumeMounts:
  - name: opensearch-tls
    mountPath: /usr/share/opensearch/config/certs
    readOnly: true

  - name: saml-metadata
    mountPath: /usr/share/opensearch/config/metadata_file.xml
    subPath: metadata_file.xml
    readOnly: true

config:
  
  opensearch.yml: |
    network.host: 0.0.0.0
    plugins.security.ssl.transport.enabled: true
    plugins.security.ssl.transport.pemcert_filepath: /usr/share/opensearch/config/certs/tls.crt
    plugins.security.ssl.transport.pemkey_filepath: /usr/share/opensearch/config/certs/tls.key
    plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/tls.crt
    plugins.security.ssl.transport.enforce_hostname_verification: false

    plugins.security.ssl.http.enabled: true
    plugins.security.ssl.http.pemcert_filepath: /usr/share/opensearch/config/certs/tls.crt
    plugins.security.ssl.http.pemkey_filepath: /usr/share/opensearch/config/certs/tls.key
    plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/tls.crt
    plugins.security.allow_unsafe_democertificates: false
    plugins.security.allow_default_init_securityindex: true

    plugins.security.authcz.admin_dn:
      - "CN=opensearch-cluster-master.logging.svc.cluster.local"
      - "CN=opensearch-cluster-master"
      - "CN=opensearch-cluster-master.logging"
      - "CN=opensearch-cluster-master.logging.svc"

    plugins.security.nodes_dn:
      - "CN=opensearch-cluster-master.logging.svc.cluster.local"
      - "CN=opensearch-cluster-master"
      - "CN=opensearch-cluster-master.logging"
      - "CN=opensearch-cluster-master.logging.svc"
    plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
    plugins.security.system_indices.enabled: true
   


resources:
  requests:
    cpu: "500m"
    memory: "2Gi"
  limits:
    cpu: "1"
    memory: "4Gi"

opensearch-dashboards.yml:imagePullSecrets:
  - name: logging-reg-jfrog

image:
  repository: xxxxct.jfrog.io/ops-docker/opensearchproject/opensearch-dashboards
  tag: 2.13.0
  pullPolicy: Always

replicaCount: 1

opensearchHosts: "https://opensearch-cluster-master.logging.svc.cluster.local:9200"

resources:
  requests:
    cpu: "100m"
    memory: "512Mi"
  limits:
    cpu: "100m"
    memory: "512Mi"

service:
  type: ClusterIP
  port: 5601

ingress:
  enabled: true
  ingressClassName: nginx
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  hosts:
    - host: opensearch.int.app.xxxx.com
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: opensearch-dashboards
              port:
                number: 5601
  tls:
    - secretName: opensearch-dashboards-cert
      hosts:
        - opensearch.int.app.xxxx.com

extraEnvs:
  - name: OPENSEARCH_USERNAME
    valueFrom:
      secretKeyRef:
        name: opensearch-auth-secret
        key: username
  - name: OPENSEARCH_PASSWORD
    valueFrom:
      secretKeyRef:
        name: opensearch-auth-secret
        key: password
  - name: CLIENT_ID
    valueFrom:
      secretKeyRef:
        name: os-client-id-secret
        key: client-id
  - name: CLIENT_SECRET
    valueFrom:
      secretKeyRef:
        name: os-client-id-secret
        key: client-secret
  
  - name: OPENSEARCH_SSL_CERTIFICATE_AUTHORITIES
    value: "/usr/share/opensearch-dashboards/config/certs/ca.crt"
  - name: OPENSEARCH_SSL_CERTIFICATE
    value: "/usr/share/opensearch-dashboards/config/certs/tls.crt"
  - name: OPENSEARCH_SSL_KEY
    value: "/usr/share/opensearch-dashboards/config/certs/tls.key"


config:
  opensearch_dashboards.yml: |
    server.host: "0.0.0.0"
    server.rewriteBasePath: false
    opensearch.hosts: [https://opensearch-cluster-master.logging.svc.cluster.local:9200]
    opensearch.ssl.verificationMode: none
    opensearch.ssl.certificateAuthorities: ${OPENSEARCH_SSL_CERTIFICATE_AUTHORITIES}
    opensearch.ssl.certificate: ${OPENSEARCH_SSL_CERTIFICATE}
    opensearch.ssl.key: ${OPENSEARCH_SSL_KEY}
    opensearch.ssl.keyPassphrase: ""
    opensearch_security.allow_client_certificates: true
    opensearch_security.cookie.secure: false
    opensearch.requestTimeout: 120000
    opensearch.pingTimeout: 120000
    opensearch.shardTimeout: 120000
    opensearch.username: "${OPENSEARCH_USERNAME}"
    opensearch.password: "${OPENSEARCH_PASSWORD}"
    opensearch_security.auth.multiple_auth_enabled: true
    opensearch_security.auth.type: ["saml","basicauth"]
    opensearch.requestHeadersWhitelist: [authorization, securitytenant]
    server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
    opensearch_security.multitenancy.enabled: true
    opensearch_security.multitenancy.tenants.enable_global: true
    opensearch_security.multitenancy.tenants.enable_private: true
    opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
    logging.verbose: true
    logging.events: ["authentication", "security", "http", "error"]


extraVolumes:
  - name: opensearch-ca-cert
    secret:
      secretName: opensearch-tls

extraVolumeMounts:
  - name: opensearch-ca-cert
    mountPath: /usr/share/opensearch-dashboards/config/certs
    readOnly: true

config.yml which is part of my secrets os-config-secret file: _meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              entity_id: "https://sts.windows.net/xxx/"
              metadata_url: "https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml"
            sp:
              entity_id: "https://opensearch.int.app.xxxx.com"
            roles_key: "groups"
            subject_key: "emailaddress"
            exchange_key: "DZ9iV56RkffI0dMi0IMti4fsf4XvtoprkAuK6FVYOYsDbGd8JRH6HolJbUhxgVhC"
        authentication_backend:
          type: noop
    # CRITICAL: Enable REST API access
    authz:
      roles_from_another_ldap:
        http_enabled: false
        authorization_backend:
          type: ldap
          config: {}
        description: "Authorize via another Active Directory"
      roles_from_myldap:
        http_enabled: false
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
              - "localhost:8389"
            rolebase: "ou=groups,dc=example,dc=com"
            rolesearch: "(member={0})"
            userrolename: "disabled"
            rolename: "cn"
            resolve_nested_roles: true
            userbase: "ou=people,dc=example,dc=com"
            usersearch: "(uid={0})"
        description: "Authorize via LDAP or Active Directory"
    # Enable REST API access for security configuration
    do_not_fail_on_forbidden: false
    multi_rolespan_enabled: true
    hosts_resolver_mode: "ip-only"
    do_not_fail_on_forbidden_empty: false
    on_behalf_of:
      enabled: false
    # REST API configuration - THIS IS WHAT WAS MISSING
    restapi:
      enabled: true
      endpoints_enabled: true
      permissions_enabled: true

Please suggest, I am been struggling with thsi from past couple of days.

Thanks
Seshadri