Cannot get AD authentication to work

I’m trying to spin up a new OpenSearch 1.3.1 instance - tarball on AlmaLinux 8.5 with java-1.8.0-openjdk-headless. I have a working OD 1.13.2 cluster based on a similar configuration.

/bin/bash /usr/local/opensearch/plugins/opensearch-security/tools/securityadmin.sh -h os-sea01.nwra.com -cd /usr/local/opensearch/config/opensearch-security -icl -nhnv -cacert /etc/pki/ca-trust/source/anchors/nwra.com_ipa_ca.crt -cert /usr/local/opensearch/config/opensearch-security/opendistro_security_admin.crt -key /usr/local/opensearch/config/opensearch-security/opendistro_security_admin.key
WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use /usr/bin/java
Security Admin v7
Will connect to os-sea01.nwra.com:9300 ... done
Connected as CN=opendistro_security_admin,O=NWRA.COM
OpenSearch Version: 1.3.1
OpenSearch Security Version: 1.3.1.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/local/opensearch/config/opensearch-security/
Will update '_doc/config' with /usr/local/opensearch/config/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/local/opensearch/config/opensearch-security/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/local/opensearch/config/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/local/opensearch/config/opensearch-security/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/local/opensearch/config/opensearch-security/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/local/opensearch/config/opensearch-security/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/local/opensearch/config/opensearch-security/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/local/opensearch/config/opensearch-security/whitelist.yml
   SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/local/opensearch/config/opensearch-security/audit.yml
   SUCC: Configuration for 'audit' created or updated
Done with success

config.yml:

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            pemtrustedcas_filepath: /etc/pki/ca-trust/source/anchors/ad.nwra.com.crt
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
              - AD1:636
              - AD2:636
            bind_dn: BINDDN
            password: XXXX
            userbase: 'ou=nwra,dc=ad,dc=nwra,dc=com'
            usersearch: '(sAMAccountName={0})'
            username_attribute: sAMAccountName

    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            pemtrustedcas_filepath: /etc/pki/ca-trust/source/anchors/ad.nwra.com.crt
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
              - AD1:636
              - AD2:636
            bind_dn: BINDDN
            password: XXXXXXX
            rolebase: 'ou=nwra,dc=ad,dc=nwra,dc=com'
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: memberOf
            rolename: cn
            resolve_nested_roles: true
            # These are internal_users
            skip_users:
              - admin
              - kibanaserver
              - kibanaro
              - logstash
              - readall
              - snapshotrestore

opensearch.yml:

plugins.security.ssl.transport.pemcert_filepath: opensearch.nwra.com.crt
plugins.security.ssl.transport.pemkey_filepath: opensearch.nwra.com.key
plugins.security.ssl.transport.pemtrustedcas_filepath: nwra_ad_ipa_ca.crt
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: opensearch.nwra.com.crt
plugins.security.ssl.http.pemkey_filepath: opensearch.nwra.com.key
plugins.security.ssl.http.pemtrustedcas_filepath: nwra_ad_ipa_ca.crt
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.audit.type: debug
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

I can find no relevant log information from the security plugin in /var/log/opensearch/opensearch.log or the journal output beyond:

[2022-05-04T13:24:40,171][INFO ][o.o.p.PluginsService     ] [os-sea01.nwra.com] loaded plugin [opensearch-security]

@opoplawski Could you try placing ad.nwra.com.crt cert file in the config folder of OpenSearch and point configuration to the new path?

Make sure that the cert file has the same user:group assigned as other files in that folder.

1 Like

That did the trick, thanks! Any idea why I’m not getting any security plugin logging? It seems like if I had that it would have been much more obvious where to look to fix this myself.

@opoplawski In this case TRACE logging wouldn’t be helpful. I suspect that the security plugin had permissions issue with that cert file. This should be reported in the OpenSearch logs as an error during the OpenSearch startup.

That’s the thing - I cannot find any output from the security plugin in opensearch.log or the journal.

I suspect this is the source of my missing logging:

[2022-05-05T11:33:11,898][WARN ][stderr                   ] [os-sea01.nwra.com] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
[2022-05-05T11:33:11,899][WARN ][stderr                   ] [os-sea01.nwra.com] SLF4J: Defaulting to no-operation (NOP) logger implementation
[2022-05-05T11:33:11,899][WARN ][stderr                   ] [os-sea01.nwra.com] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

Also reported here: Log4j err Failed to load class "org.slf4j.impl.StaticLoggerBinder"