How to setup LDAP authentication when deploying with helm charts

OpenSearch Dashboards
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch-dashboards 2.11.0
helm charts 2.14.0

Describe the issue:
We’re deploying Opensearch-dashboards with Helm charts, and I want to add configuration for LDAP authentication.

I found instructions for setting up LDAP authentication

where it says to update the file config/opensearch-security/config.yml

And in this other thread I found how to specify/modify yaml files within the helm values.yaml

However, the config.yaml I manage to generate is in the wrong(?) directory
config/config.yml

Is there a way via Helm to create the opensearch-security folder and put he config.yaml there?

An extra question, the config.yaml includes the LDAP bind_dn and the password. I rather not put the clear text password in the file. What will be a way to refer to an ENV var that is loaded from a K8s secret?

Configuration:

Helm values.yaml, including

config: 
  config.yaml: |-
    ---
    config:
      dynamic:
        http:
          anonymous_auth_enabled: false
        authc:
          basic_internal_auth_domain:
            description: "Authenticate via HTTP Basic against internal users database"
            http_enabled: true
            transport_enabled: true
            order: 4
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
          ldap:
            description: "Authenticate via LDAP or Active Directory"
            http_enabled: false
            ....
            hosts:
                - ldaps://ad.example.com
                bind_dn: 'CN=service-account,,OU=Users,DC=example,DC=com'
                password: 'doNotPutClearTextPasswordHere'

Relevant Logs or Screenshots:

I tried to access the AD LDAP logs, but I could not find them. It seems as a separate question how to activate these logs for opensearch-dashboard.

2

Hi @Julio,

Your config seems to be placed in the right place (I mean in the Helm values.yaml), you could run the below and check if it has been applied as expected:

curl --insecure -u admin:<admin_password> -XGET https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/api/securityconfig?pretty

Have you tried using ENV variables? You can see a similar case here.

best,
mj

3

Thanks for the advice. I could not try the curl command because the ingress and service are not setup for the API endpoint. I get a Bad Gateway, I’ll try if I can make it work.

About the ENV var, I try as you suggested, I had before ${AUTH_LDAP_PASSWORD}, I did not know the right syntax.

Anyway, all I can see now in the logs is just

{"type":"log","@timestamp":"2024-10-03T16:42:20Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Failed authentication: Error: Authentication Exception"}

and a 401 response.

Regards, Julio

4

Hi,

I think I got it wrong, I’m trying to provide the LDAP authentication setup (config.yaml) on the opensearch-dashboards deployment, but I think that shall be provided for the opensearch deployment, or?

5

That is correct, setup for OpenSearch.