How to use Kerberos keytab for LDAP bind in OpenSearch Security without enabling full Kerberos authentication?

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): OpenSearch v 3.3.1; OpenSearch Dashboards 3.3.0; OS SLES 15; browser google chrom

Describe the issue:

Hello everyone,

I’m trying to configure OpenSearch Security so that the cluster can query Active Directory without using a service account (bind DN + password).
I want OpenSearch to authenticate to AD using a Kerberos keytab via SASL/GSSAPI, but I do not want to enable Kerberos/Negotiate authentication for end-users in OpenSearch Dashboards.

My environment

  • OpenSearch cluster: 3 nodes

  • OpenSearch Security plugin

  • Active Directory domain

  • A Kerberos host principal is already created in AD HTTP/es.example.com@EXAMPLE.COM

  • A matching .keytab is installed on the nodes.

  • ldapsearch -Y GSSAPI works from the OS level (or at least I’m trying to make it work).

  • I do not want user SSO, SPNEGO, or Kerberos login in Dashboards.

  • Dashboards is behind Nginx (reverse proxy), but Nginx should not perform Kerberos authentication.

I want OpenSearch Security to:

  • continue using basic authentication for users (username/password),

  • but when it needs to contact AD (to resolve users and groups), instead of using:

bind_dn: “CN=<name>,OU=Service Accounts,…”
password: “****”

I want it to perform Kerberos/GSSAPI LDAP bind using the keytab on the host.

The main problem

I cannot find any documentation or real examples showing that OpenSearch Security LDAP backend supports:

  • Kerberos / GSSAPI bind

  • SASL bind

  • LDAP + keytab (via host principal)

All official articles only describe Kerberos for HTTP/SPNEGO — full SSO for users, which is not my goal.

Even Search Guard and Elastic forum posts describe only user authentication, not LDAP backend GSSAPI bind.

Configuration:

I already configured everything according to the official OpenSearch Kerberos documentation:

plugins.security.kerberos.krb5_filepath: 'krb5.conf'
plugins.security.kerberos.acceptor_keytab_filepath: 'krb5.keytab'
plugins.security.kerberos.acceptor_principal: 'HTTP/SAPINFTSTOSN01@<domain_name>'

config.yml (authc section)

authc:
  kerberos_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 2
    http_authenticator:
      type: kerberos
      challenge: true
      config:
        krb_debug: true
        strip_realm_from_principal: true
    authentication_backend:
      type: noop
  basic_internal_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: internal

Relevant Logs or Screenshots:

2

@Pan-Vad Just to be clear, are you looking for basic authentication through OpenSearch Dashboards and LDAP authorization in OpenSearch with Kerberos authentication instead of LDAP bind? Is that correct?

3

No, I wanted the LDAP synchronization with Active Directory to happen not using credentials but using a Kerberos ticket. That is, in the config.yml file, to specify the Kerberos key instead of credentials in the fields “bind_dn:” and “password:”.
Is that even possible?

4

@Pan-Vad Unfortunately it is not possible. Current LDAP authentication requires bind_dn as part of the configuration. The expected value is the DN of the privileged account.