Hey guys,
I have been trying to set up LDAPS with JumpCloud as the provider. The LDAP with port 389 (NO SSL/TLS) seems to be working but I cannot get it to work with SSL/TLS.
Below are my configuration files:
elasticsearch.yml :-
cluster.name: "td-cluster"
network.host: 0.0.0.0
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: tdes0.pem
opendistro_security.ssl.http.pemkey_filepath: tdes0.key
opendistro_security.ssl.http.pemtrustedcas_filepath: MyRootCA.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- "CN=admin,O=*removed for privacy*,L=Sydney,ST=New South Wales,C=AU"
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.ssl.transport.pemtrustedcas_filepath: /usr/share/elasticsearch/config/jumpcloud.chain.pem
securityconfig.yml:-
opendistro_security:
dynamic:
kibana:
multitenancy_enabled: true
server_username: kibanaserver
index: '.kibana'
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: false
xff:
enabled: false
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
authc:
basic_internal_auth_domain:
enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
ldap:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: "basic"
challenge: false
authentication_backend:
type: "ldap"
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ldap.jumpcloud.com:636
bind_dn: "uid=*removed for privacy*,ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com"
password: "*removed for privacy*"
userbase: "ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com"
usersearch: "(uid={0})"
username_attribute: "cn"
pemtrustedcas_filepath: jumpcloud.chain.pem
authz:
roles_from_myldap:
http_enabled: true
transport_enabled: false
authorization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ldap.jumpcloud.com:636
bind_dn: "uid="*removed for privacy*",ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com"
password: "*removed for privacy*"
rolebase: 'ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com'
rolesearch: '(member={0})'
userroleattribute: null
userrolename: disabled
rolename: "cn"
resolve_nested_roles: true
userbase: 'ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com'
usersearch: '(uid={0})'
pemtrustedcas_filepath: jumpcloud.chain.pem
When I look at the logs from elasticsearch, there is an error called
“org.elasticsearch.ElasticsearchException: opendistro_security.ssl.transport.keystore_filepath or opendistro_security.ssl.transport.pemkey_filepath must be set if transport ssl is reqested.”
but I donot seem to have any key or certificate from jumpcloud, just their CA authority certificate as mentioned at link : “https://support.jumpcloud.com/customer/en/portal/articles/2440898-jumpcloud-ldaps-ssl-certificate”.
Please help me resolve this. Thanks in advance. And Happy Weekends.
Regards,
Ashim Mahara