Connecting to Active Directory

Hello

Im trying to configure OpenSearch to Active Directory LDAP but Im having issues with the backend_roles being correctly linked.

What config file are needed so I can post?

Thank you

@riahc3 Please send output of the below command

curl --insecure -u <LDAP_user>:admin https://<OpenSearch_FQDN_or_IP>:9200/_plugins/_security/authinfo?pretty

What is “LDAP_user”? The user Im trying to authenticate, the user I am using as a service account to connect, etc?

Ill put both:

root@serverofwazuh:~# curl --insecure -u serviceaccount:password https://127.0.0.1:9200/_plugins/_security/authinfo?pretty
{
  "user" : "User [name=serviceaccount, backend_roles=[], requestedTenant=null]",
  "user_name" : "serviceaccount",
  "user_requested_tenant" : null,
  "remote_address" : "127.0.0.1:38996",
  "backend_roles" : [ ],
  "custom_attribute_names" : [
    "attr.ldap.primaryGroupID",
    "attr.ldap.objectGUID",
    "attr.ldap.userAccountControl",
    "attr.ldap.whenCreated",
    "ldap.original.username",
    "attr.ldap.countryCode",
    "attr.ldap.instanceType",
    "attr.ldap.sAMAccountName",
    "attr.ldap.userPrincipalName",
    "attr.ldap.whenChanged",
    "attr.ldap.objectClass",
    "attr.ldap.givenName",
    "ldap.dn",
    "attr.ldap.sAMAccountType",
    "attr.ldap.cn",
    "attr.ldap.accountExpires",
    "attr.ldap.dSCorePropagationData",
    "attr.ldap.name",
    "attr.ldap.uSNCreated",
    "attr.ldap.uSNChanged",
    "attr.ldap.displayName",
    "attr.ldap.objectSid",
    "attr.ldap.codePage",
    "attr.ldap.pwdLastSet",
    "attr.ldap.lastLogonTimestamp"
  ],
  "roles" : [
    "own_index"
  ],
  "tenants" : {
    "serviceaccount" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}
root@serverofwazuh:~#

root@serverofwazuh:~# curl --insecure -u adminuser:'password!25' https://127.0.0.1:9200/_plugins/_security/authinfo?pretty
{
  "user" : "User [name=adminuser, backend_roles=[], requestedTenant=null]",
  "user_name" : "adminuser",
  "user_requested_tenant" : null,
  "remote_address" : "127.0.0.1:53034",
  "backend_roles" : [ ],
  "custom_attribute_names" : [
    "attr.ldap.primaryGroupID",
    "attr.ldap.lastLogon",
    "attr.ldap.logonCount",
    "attr.ldap.badPwdCount",
    "attr.ldap.objectGUID",
    "attr.ldap.userAccountControl",
    "attr.ldap.whenCreated",
    "ldap.original.username",
    "attr.ldap.lastLogoff",
    "attr.ldap.countryCode",
    "attr.ldap.logonHours",
    "attr.ldap.instanceType",
    "attr.ldap.sAMAccountName",
    "attr.ldap.protocolSettings",
    "attr.ldap.userPrincipalName",
    "attr.ldap.whenChanged",
    "attr.ldap.msDS-FailedInteractiveLogonCount",
    "attr.ldap.objectClass",
    "attr.ldap.givenName",
    "attr.ldap.msDS-LastFailedInteractiveLogonTime",
    "attr.ldap.msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon",
    "ldap.dn",
    "attr.ldap.sAMAccountType",
    "attr.ldap.cn",
    "attr.ldap.accountExpires",
    "attr.ldap.dSCorePropagationData",
    "attr.ldap.lockoutTime",
    "attr.ldap.name",
    "attr.ldap.uSNCreated",
    "attr.ldap.uSNChanged",
    "attr.ldap.msDS-SupportedEncryptionTypes",
    "attr.ldap.displayName",
    "attr.ldap.objectSid",
    "attr.ldap.codePage",
    "attr.ldap.pwdLastSet",
    "attr.ldap.msExchUserAccountControl",
    "attr.ldap.sn",
    "attr.ldap.mDBUseDefaults",
    "attr.ldap.adminCount",
    "attr.ldap.msDS-LastSuccessfulInteractiveLogonTime",
    "attr.ldap.lastLogonTimestamp"
  ],
  "roles" : [
    "own_index"
  ],
  "tenants" : {
    "adminuser" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}
root@serverofwazuh:~#

I doubt it has ANYTHING to do with it but for my LDAP admin user I did have to put it in quotes since the pass has a “!”; It shouldnt matter because I can login

@riahc3 The curl response shows backend_roles empty. Your OpenSearch security plugin doesn’t pull LDAP groups from AD.
Could you validate your rolebase DN value?
Try testing it with the ldapsearch tool.

Also, http_enabled is set to false in authz.

image464×110 11.6 KB

Yes, I already posted this in messages before:

image690×367 38.2 KB

image583×500 18.2 KB

My rolebase needs to point to the OU correct?

I ran this command:

ldapsearch -x -H ldaps://domaincontroller.company.local:636 -D "CN=WazuhSVC,OU=Servicios,OU=company - Usuarios,DC=company,DC=local" -w "password" -b "OU=company - Grupos,DC=company,DC=local" "(objectClass=group)" cn | awk '/^cn: / {print $2}'

And it shows me the correct group so its not a service binding issue or anything of that sort.

You need to change that to true.

Do you accept blowjobs?

Ive been 5-7 days with this…And it was just that line…

Thank you

@riahc3 I’m glad it worked.