I am using the opendistro-security-22.214.171.124 plugin for the first time. I just want to use it to connect to my ldap server, but I don’t know what minimum configurations I need to make it work without SSL connections, could someone tell me the steps to configure the plugin for kibana and elasticsearch and not have to use certificates through TLS layer?
I recall the documentation being pretty good (and it have improved since I did my ldap configuration) Active Directory and LDAP - Open Distro Documentation . Configuring Open Distro to work with LDAP is 90% about understanding how LDAP works. Also Kibana does not care that you are using LDAP only Elasticsearch care.
Some other things that is good to understand (keep in mind) is the difference between “backend-roles” and “roles” and also the difference between authz and authc
@jessualuq See example below with basic configuration for ldap (in this case I have my users in branch “Users” and roles is branch “GroupsNew” it extracts the relevant backend roles, which are then mapped to correct security roles in security index)
description: "Authenticate via HTTP Basic against internal users database"
description: "Authenticate via LDAP or Active Directory"
description: "Authorize via LDAP or Active Directory"
You can run ldapsearch tool against ldap server from one of the nodes to ensure it works as expected, command below might be a good starting point:
ldapsearch -H ldap://<ldap_ip> -D <bind_dn> -W -b "cn=Users,dc=local,dc=local" "(sAMAccountName=<user_in_question>)"
Thank you very much for your answers, they have been very useful, but it does not solve the question completely.
My question is if I can just use the security plugin to connect to my ldap server, I only need it for this but lifting the container returns this to me:
"org.elasticsearch.ElasticsearchException: opendistro_security.ssl.transport.keystore_filepath or opendistro_security.ssl.transport.server.pemcert_filepath and opendistro_security.ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.
I have added in elasticsearch.yml the option:
“open distro security.ssl.http.enabled: false”
but it doesn’t seem to work, is there any way to disable transport layer and REST layer security?
The TLS on transport layer is a must, the rest is optional, see minimum config for elasticsearch.yml below:
In the above case kibana.yml file should be updated not to use https to communicate with elasticsearch.
Hope this helps