Error when enable LDAP on opensearch 2.5

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.5.0

Describe the issue:
Hi Guys, i’m new on opensearch and i try to enable ldap auth for my opensearch
i deploy the opensearch to kubernetes with helm and follow documentation

Configuration:
here my values.yaml

clusterName: "opensearch-cluster"
nodeGroup: "master"

# If discovery.type in the opensearch configuration is set to "single-node",
# this should be set to "true"
# If "true", replicas will be forced to 1
singleNode: false

# The service that non master groups will try to connect to when joining the cluster
# This should be set to clusterName + "-" + nodeGroup for your master group
masterService: "opensearch-cluster-master"

# OpenSearch roles that will be applied to this nodeGroup
# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client
roles:
  - master
  - ingest
  - data
  - remote_cluster_client

replicas: 3

# if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion.
majorVersion: ""

global:
  # Set if you want to change the default docker registry, e.g. a private one.
  dockerRegistry: ""

# Allows you to add any config files in {{ .Values.opensearchHome }}/config
opensearchHome: /usr/share/opensearch
# such as opensearch.yml and log4j2.properties
config:
  # Values must be YAML literal style scalar / YAML multiline string.
  # <filename>: |
  #   <formatted-value(s)>
  # log4j2.properties: |
  #   status = error
  #
  #   appender.console.type = Console
  #   appender.console.name = console
  #   appender.console.layout.type = PatternLayout
  #   appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
  #
  #   rootLogger.level = info
  #   rootLogger.appenderRef.console.ref = console
  opensearch.yml: |
    cluster.name: opensearch-cluster
    # Bind to all interfaces because we don't know what IP address Docker will assign to us.
    network.host: 0.0.0.0
    # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
    # Implicitly done if ".singleNode" is set to "true".
    # discovery.type: single-node
    # Start OpenSearch Security Demo Configuration
    # WARNING: revise all the lines below before you go into production
    plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: esnode.pem
            pemkey_filepath: esnode-key.pem
            pemtrustedcas_filepath: root-ca.pem
            enforce_hostname_verification: false
          http:
            enabled: true
            pemcert_filepath: esnode.pem
            pemkey_filepath: esnode-key.pem
            pemtrustedcas_filepath: root-ca.pem
        allow_unsafe_democertificates: true
        allow_default_init_securityindex: true
        authc:
          ldap:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: ldap
              config:
                enable_ssl: true
                enable_start_tls: false
                enable_ssl_client_auth: false
                verify_hostnames: true
                hosts:
                  - ldap.ajif.com:636
                truststore_path: "/usr/share/opensearch/config/ldap.crt"
                bind_dn: uid=ajif,ou=Special Accounts,dc=ajitest,dc=com
                password: Pejaten13
                users:
                  primary-userbase:
                     base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
                     search: '(uid={0})'
                  secondary-userbase:
                     base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
                     search: '(uid={0})'
                username_attribute: uid
        authz:
          ldap:
            http_enabled: true
            transport_enabled: true
            authorization_backend:
              type: ldap
              config:
                enable_ssl: true
                enable_start_tls: false
                enable_ssl_client_auth: false
                verify_hostnames: true
                hosts:
                  - ldap.ajif.com:636
                bind_dn: uid=ajif,ou=Special Accounts,dc=ajitest,dc=com
                password: password
                truststore_path: "/usr/share/opensearch/config/ldap.crt"
                users:
                  primary-userbase:
                     base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
                     search: '(uid={0})'
                  secondary-userbase:
                     base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
                     search: '(uid={0})'
                username_attribute: uid
                roles:
                  primary-rolebase:
                    base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
                    search: '(uid={0})'
                  secondary-rolebase:
                    base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
                    search: '(uid={0})'
                  userrolename: none
                  rolename: cn
                  resolve_nested_roles: true
        audit.type: internal_opensearch
        enable_snapshot_restore_privilege: true
        check_snapshot_restore_write_privileges: true
        restapi:
          roles_enabled: ["all_access", "security_rest_api_access"]
        system_indices:
          enabled: true
          indices:
            [
              ".opendistro-alerting-config",
              ".opendistro-alerting-alert*",
              ".opendistro-anomaly-results*",
              ".opendistro-anomaly-detector*",
              ".opendistro-anomaly-checkpoints",
              ".opendistro-anomaly-detection-state",
              ".opendistro-reports-*",
              ".opendistro-notifications-*",
              ".opendistro-notebooks",
              ".opendistro-asynchronous-search-response*",
            ]
    ######## End OpenSearch Security Demo Configuration ########
  # log4j2.properties:

# Extra environment variables to append to this nodeGroup
# This will be appended to the current 'env:' key. You can use any of the kubernetes env
# syntax here
extraEnvs: []
#  - name: MY_ENVIRONMENT_VAR
#    value: the_value_goes_here

# Allows you to load environment variables from kubernetes secret or config map
envFrom: []
# - secretRef:
#     name: env-secret
# - configMapRef:
#     name: config-map

# A list of secrets and their paths to mount inside the pod
# This is useful for mounting certificates for security and for mounting
# the X-Pack license
secretMounts: []

hostAliases: []
# - ip: "127.0.0.1"
#   hostnames:
#   - "foo.local"
#   - "bar.local"

image:
  repository: "opensearchproject/opensearch"
  # override image tag, which is .Chart.AppVersion by default
  tag: ""
  pullPolicy: "IfNotPresent"

podAnnotations: {}
  # iam.amazonaws.com/role: es-cluster

# additionals labels
labels: {}

opensearchJavaOpts: "-Xmx512M -Xms512M"

resources:
  requests:
    cpu: "1000m"
    memory: "100Mi"

initResources: {}
#  limits:
#     cpu: "25m"
#     memory: "128Mi"
#  requests:
#     cpu: "25m"
#     memory: "128Mi"

sidecarResources: {}
#   limits:
#     cpu: "25m"
#     memory: "128Mi"
#   requests:
#     cpu: "25m"
#     memory: "128Mi"

networkHost: "0.0.0.0"

rbac:
  create: false
  serviceAccountAnnotations: {}
  serviceAccountName: ""

podSecurityPolicy:
  create: false
  name: ""
  spec:
    privileged: true
    fsGroup:
      rule: RunAsAny
    runAsUser:
      rule: RunAsAny
    seLinux:
      rule: RunAsAny
    supplementalGroups:
      rule: RunAsAny
    volumes:
      - secret
      - configMap
      - persistentVolumeClaim
      - emptyDir

persistence:
  enabled: true
  # Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk.
  enableInitChown: true
  # override image, which is busybox by default
  # image: busybox
  # override image tag, which is latest by default
  # imageTag:
  labels:
    # Add default labels for the volumeClaimTemplate of the StatefulSet
    enabled: false
  # OpenSearch Persistent Volume Storage Class
  # If defined, storageClassName: <storageClass>
  # If set to "-", storageClassName: "", which disables dynamic provisioning
  # If undefined (the default) or set to null, no storageClassName spec is
  #   set, choosing the default provisioner.  (gp2 on AWS, standard on
  #   GKE, AWS & OpenStack)
  #
  storageClass: gp2
  accessModes:
    - ReadWriteOnce
  size: 30Gi
  annotations: {}

extraVolumes: []
  # - name: extras
  #   emptyDir: {}

extraVolumeMounts: []
  # - name: extras
  #   mountPath: /usr/share/extras
  #   readOnly: true

extraContainers: []
  # - name: do-something
  #   image: busybox
  #   command: ['do', 'something']

extraInitContainers: []
  # - name: do-somethings
  #   image: busybox
  #   command: ['do', 'something']

# This is the PriorityClass settings as defined in
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
priorityClassName: ""

# By default this will make sure two pods don't end up on the same node
# Changing this to a region would allow you to spread pods across regions

# Hard means that by default pods will only be scheduled if there are enough nodes for them
# and that they will never end up on the same node. Setting this to soft will do this "best effort"
antiAffinity: "soft"

# This is the node affinity settings as defined in
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature
nodeAffinity:
  requiredDuringSchedulingIgnoredDuringExecution:
    nodeSelectorTerms:
      - matchExpressions:
          - key: env
            operator: In
            values:
              - opensearch

# This is the pod topology spread constraints
# https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
topologySpreadConstraints: []

# The default is to deploy all pods serially. By setting this to parallel all pods are started at
# the same time when bootstrapping the cluster
podManagementPolicy: "Parallel"

# The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when
# there are many services in the current namespace.
# If you experience slow pod startups you probably want to set this to `false`.
enableServiceLinks: true

protocol: https
httpPort: 9200
transportPort: 9300
httpHostPort: ""
transportHostPort: ""

service:
  labels: {}
  labelsHeadless: {}
  headless:
    annotations: {}
  type: ClusterIP
  nodePort: ""
  annotations: {}
  httpPortName: http
  transportPortName: transport
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  externalTrafficPolicy: ""

updateStrategy: RollingUpdate

# This is the max unavailable setting for the pod disruption budget
# The default value of 1 will make sure that kubernetes won't allow more than 1
# of your pods to be unavailable during maintenance
maxUnavailable: 1

podSecurityContext:
  fsGroup: 1000
  runAsUser: 1000

securityContext:
  capabilities:
    drop:
      - ALL
  # readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000
terminationGracePeriod: 120

sysctlVmMaxMapCount: 262144

startupProbe:
  tcpSocket:
    port: 9200
  initialDelaySeconds: 5
  periodSeconds: 10
  timeoutSeconds: 3
  failureThreshold: 30

livenessProbe: {}
  # periodSeconds: 20
  # timeoutSeconds: 5
  # failureThreshold: 10
  # successThreshold: 1
  # initialDelaySeconds: 10
  # tcpSocket:
  #   port: 9200

readinessProbe:
  tcpSocket:
    port: 9200
  periodSeconds: 5
  timeoutSeconds: 3
  failureThreshold: 3

## Use an alternate scheduler.
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
schedulerName: ""

imagePullSecrets: []
nodeSelector:
  env: opensearch
tolerations: {}

# Enabling this will publically expose your OpenSearch instance.
# Only enable this if you have security enabled on your cluster
ingress:
  enabled: false
  # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
  # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
  # ingressClassName: nginx

  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    - chart-example.local
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

nameOverride: ""
fullnameOverride: ""

masterTerminationFix: false

lifecycle: {}
  # preStop:
  #   exec:
  #     command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
  # postStart:
  #   exec:
  #     command:
  #       - bash
  #       - -c
  #       - |
  #         #!/bin/bash
  #         # Add a template to adjust number of shards/replicas1
  #         TEMPLATE_NAME=my_template
  #         INDEX_PATTERN="logstash-*"
  #         SHARD_COUNT=8
  #         REPLICA_COUNT=1
  #         ES_URL=http://localhost:9200
  #         while [[ "$(curl -s -o /dev/null -w '%{http_code}\n' $ES_URL)" != "200" ]]; do sleep 1; done
  #         curl -XPUT "$ES_URL/_template/$TEMPLATE_NAME" -H 'Content-Type: application/json' -d'{"index_patterns":['\""$INDEX_PATTERN"\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}'

keystore: []
# To add secrets to the keystore:
#  - secretName: opensearch-encryption-key

networkPolicy:
  create: false
  ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
  ## In order for a Pod to access OpenSearch, it needs to have the following label:
  ## {{ template "uname" . }}-client: "true"
  ## Example for default configuration to access HTTP port:
  ## opensearch-master-http-client: "true"
  ## Example for default configuration to access transport port:
  ## opensearch-master-transport-client: "true"

  http:
    enabled: false

# Deprecated
# please use the above podSecurityContext.fsGroup instead
fsGroup: ""

## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if
## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)
## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctl:
  enabled: false

## Set optimal sysctl's through privileged initContainer.
sysctlInit:
  enabled: true
  # override image, which is busybox by default
  # image: busybox
  # override image tag, which is latest by default
  # imageTag:

## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image.

# -- Array of extra K8s manifests to deploy
extraObjects: []
  # - apiVersion: secrets-store.csi.x-k8s.io/v1
  #   kind: SecretProviderClass
  #   metadata:
  #     name: argocd-secrets-store
  #   spec:
  #     provider: aws
  #     parameters:
  #       objects: |
  #         - objectName: "argocd"
  #           objectType: "secretsmanager"
  #           jmesPath:
  #               - path: "client_id"
  #                 objectAlias: "client_id"
  #               - path: "client_secret"
  #                 objectAlias: "client_secret"
  #     secretObjects:
  #     - data:
  #       - key: client_id
  #         objectName: client_id
  #       - key: client_secret
  #         objectName: client_secret
  #       secretName: argocd-secrets-store
  #       type: Opaque
  #       labels:
  #         app.kubernetes.io/part-of: argocd

Relevant Logs or Screenshots:

unknown setting [plugins.security.authz.ldap.authorization_backend.config.roles.primary-rolebase.search] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
unknown setting [plugins.security.authz.ldap.authorization_backend.config.roles.primary-rolebase.search] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
unknown setting [plugins.security.authz.ldap.authorization_backend.config.bind_dn] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
unknown setting [plugins.security.authc.ldap.authentication_backend.config.enable_ssl] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
unknown setting [plugins.security.authz.ldap.authorization_backend.config.enable_ssl_client_auth] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
unknown setting [plugins.security.authz.ldap.authorization_backend.config.roles.secondary-rolebase.search] please check that any required plugins are installed, or check the breaking changes documentation for removed settings

@ajif You’ve placed the LDAP configuration in the opensearch.yml file section. It should be here.

updated configuration, already remove on opensearch.yml but got this error

2023-02-20T01:30:25,162][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:25,168][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:25,172][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:25,177][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:27,661][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:27,663][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:27,665][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:27,668][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:30,163][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:30,167][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:30,169][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:30,172][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:32,300][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-cluster-master-0] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)

my updated configuration
values.yaml

securityconfig:
  enable: true
  authc:
    ldap:
      http_enabled: true
      transport_enabled: true
      order: 1
      http_authenticator:
        type: basic
        challenge: true
      authentication_backend:
        type: ldap
        config:
          enable_ssl: true
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: true
          hosts:
            - ldap.ajif.com:636
          truststore_path: "/usr/share/opensearch/config/ldap.crt"
          bind_dn: uid=ajif ,ou=Special Accounts,dc=ajif,dc=com
          password: passwordx
          users:
            primary-userbase:
               base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
               search: '(uid={0})'
            secondary-userbase:
               base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
               search: '(uid={0})'
          username_attribute: uid
  authz:
    ldap:
      http_enabled: true
      transport_enabled: true
      authorization_backend:
        type: ldap
        config:
          enable_ssl: true
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: true
          hosts:
            - ldap.ajif.com:636
          bind_dn: uid=ajif,ou=Special Accounts,dc=ajif,dc=com
          password: passwordx
          truststore_path: "/usr/share/opensearch/config/ldap.crt"
          users:
            primary-userbase:
               base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
               search: '(uid={0})'
            secondary-userbase:
               base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
               search: '(uid={0})'
          username_attribute: uid
          roles:
            primary-rolebase:
              base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
              search: '(uid={0})'
            secondary-rolebase:
              base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
              search: '(uid={0})'
            userrolename: none
            rolename: cn
            resolve_nested_roles: true

updated configuration but still got error

[2023-02-20T01:30:25,162][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:25,168][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:25,172][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:25,177][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:27,661][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:27,663][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:27,665][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:27,668][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:30,163][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:30,167][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:30,169][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:30,172][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-02-20T01:30:32,300][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-cluster-master-0] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)

here my configuration

securityconfig:
  enable: true
  authc:
    ldap:
      http_enabled: true
      transport_enabled: true
      order: 1
      http_authenticator:
        type: basic
        challenge: true
      authentication_backend:
        type: ldap
        config:
          enable_ssl: true
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: true
          hosts:
            - ldap.ajif.com:636
          truststore_path: "/usr/share/opensearch/config/ldap.crt"
          bind_dn: uid=ajif ,ou=Special Accounts,dc=ajif,dc=com
          password: passwordx
          users:
            primary-userbase:
               base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
               search: '(uid={0})'
            secondary-userbase:
               base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
               search: '(uid={0})'
          username_attribute: uid
  authz:
    ldap:
      http_enabled: true
      transport_enabled: true
      authorization_backend:
        type: ldap
        config:
          enable_ssl: true
          enable_start_tls: false
          enable_ssl_client_auth: false
          verify_hostnames: true
          hosts:
            - ldap.ajif.com:636
          bind_dn: uid=ajif,ou=Special Accounts,dc=ajif,dc=com
          password: passwordx
          truststore_path: "/usr/share/opensearch/config/ldap.crt"
          users:
            primary-userbase:
               base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
               search: '(uid={0})'
            secondary-userbase:
               base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
               search: '(uid={0})'
          username_attribute: uid
          roles:
            primary-rolebase:
              base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
              search: '(uid={0})'
            secondary-rolebase:
              base: 'ou=ajitest,ou=Accounts,dc=ajitest,dc=com'
              search: '(uid={0})'
            userrolename: none
            rolename: cn
            resolve_nested_roles: true

Can you post your values.yaml after having removed the confs that should have been inside your config.yml pls? Also how are you sending your certificates to the master nodes (secretMount or extraVolume/extraVolumeMount, …)?

This is is what I did:

created a secret “truststore” containing my truststore.jks

then I created a secretMount for my truststore:

secretMounts:

  • name: truststore
    secretName: truststore
    path: /usr/share/opensearch/config/truststore

Edited my values.yml

plugins:
  security:
    ssl:
      transport:
        pemcert_filepath: esnode.pem
        pemkey_filepath: esnode-key.pem
        pemtrustedcas_filepath: root-ca.pem
        truststore_filepath: truststore/truststore.jks
        truststore_password: <password>
        truststore_alias: <alias>
        enforce_hostname_verification: false

also had to change my config.yml and specify the right configurations for it to work

@ajif If you take a look at the section I pointed out in my last update, you’ll see two options.
First is to use securityConfig.securityConfigSecret: option where need to provide the name of the secret with the security config.

  # * If you define securityConfigSecret, the chart will assume this secret is
    #   created externally and mount it.

The second is pasting the config under the securityConfig.data

    data: {}
      # config.yml: |-