Hello,
I am using the opendistro-security-1.12.0.0 plugin for the first time. I just want to use it to connect to my ldap server, but I don’t know what minimum configurations I need to make it work without SSL connections, could someone tell me the steps to configure the plugin for kibana and elasticsearch and not have to use certificates through TLS layer?
Thanks
I recall the documentation being pretty good (and it have improved since I did my ldap configuration) Active Directory and LDAP - Open Distro Documentation . Configuring Open Distro to work with LDAP is 90% about understanding how LDAP works. Also Kibana does not care that you are using LDAP only Elasticsearch care.
Some other things that is good to understand (keep in mind) is the difference between “backend-roles” and “roles” and also the difference between authz and authc
@jessualuq See example below with basic configuration for ldap (in this case I have my users in branch “Users” and roles is branch “GroupsNew” it extracts the relevant backend roles, which are then mapped to correct security roles in security index)
config:
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- <ldap_ip/host>
bind_dn: <bind_db>
password: <password>
userbase: 'cn=Users,dc=local,dc=local'
username_attribute: "sAMAccountName"
usersearch: '(sAMAccountName={0})'
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- <ldap_ip/host>
bind_dn: <bind_db>
password: <password>
rolebase: 'ou=GroupsNew,dc=local,dc=local'
rolesearch: '(member={0})'
userroleattribute: null
userrolename: disabled
resolve_nested_roles: false
userbase: 'cn=Users,dc=local,dc=local'
usersearch: '(sAMAccountName={0})'
You can run ldapsearch tool against ldap server from one of the nodes to ensure it works as expected, command below might be a good starting point:
ldapsearch -H ldap://<ldap_ip> -D <bind_dn> -W -b "cn=Users,dc=local,dc=local" "(sAMAccountName=<user_in_question>)"
Thank you very much for your answers, they have been very useful, but it does not solve the question completely.
My question is if I can just use the security plugin to connect to my ldap server, I only need it for this but lifting the container returns this to me:
"org.elasticsearch.ElasticsearchException: opendistro_security.ssl.transport.keystore_filepath or opendistro_security.ssl.transport.server.pemcert_filepath and opendistro_security.ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.
"
I have added in elasticsearch.yml the option:
“open distro security.ssl.http.enabled: false”
but it doesn’t seem to work, is there any way to disable transport layer and REST layer security?
@jessualuq
The TLS on transport layer is a must, the rest is optional, see minimum config for elasticsearch.yml below:
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: false
opendistro_security.authcz.admin_dn:
opendistro_security.nodes_dn:
opendistro_security.restapi.roles_enabled: [“all_access”]
In the above case kibana.yml file should be updated not to use https to communicate with elasticsearch.
Hope this helps