Integration with Elastic + LDAP

Security
1

Hi everyone,

I’m having some issues to integrate the Security plugin with Elasticsearch (non-OSS version), and wonder if anyone has some ideas.

I’m using the latest version available for the plugins and Elastic 7.10.2

xpack.security.enabled: false
opendistro_security.ssl.transport.pemcert_filepath: /etc/elasticsearch/tlstool/tools/out/node1.pem
opendistro_security.ssl.transport.pemkey_filepath: /etc/elasticsearch/tlstool/tools/out/node1.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/tlstool/tools/out/root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: /etc/elasticsearch/tlstool/tools/out/node1.pem
opendistro_security.ssl.http.pemkey_filepath: /etc/elasticsearch/tlstool/tools/out/node1.key
opendistro_security.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/tlstool/tools/out/root-ca.pem
opendistro_security.ssl.transport.truststore_filepath: cacerts
opendistro_security.ssl.transport.truststore_password: changeit
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- CN=admin,OU=Ops,O=OP,DC=mydomain,DC=com
opendistro_security.nodes_dn:
- CN=hz-acc-elk02.mydomain.com,OU=Ops,O=OP,DC=mydomain,DC=com
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "kibanaserver", "security_rest_api_access"]
opendistro_security.system_indices.enabled: true
opendistro_security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
cluster.routing.allocation.disk.threshold_enabled: false

added options on kibana.yml

elasticsearch.hosts: ["https://hz-acc-elk02.mydomain.com:9200"]
elasticsearch.username: "admin"
elasticsearch.password: "admin"
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
elasticsearch.ssl.certificate: /etc/kibana/node1.pem
elasticsearch.ssl.key: /etc/kibana/node1.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/root-ca.pem" ]
xpack.security.enabled: false

Once I try to access Kibana on the browser, it returns the error

{“statusCode”:401,“error”:“Unauthorized”,“message”:“Response Error”}

# curl -XGET https://hz-acc-elk02.mydomain.com:9200/ --cacert /etc/elasticsearch/tlstool/tools/out/root-ca.pem -u admin:admin
{
  "name" : "hz-acc-elk02.mydomain.com",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "3XI885ALRhWWmloews-_qg",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

On Kibana logs, I see the following

May 10 11:02:15 hz-acc-elk02.mydomain.com kibana[197789]: {"type":"log","@timestamp":"2021-05-10T09:02:15Z","tags":["error","elasticsearch","data"],"pid":197789,"message":"[ResponseError]: Response Error"}
May 10 11:02:15 hz-acc-elk02.mydomain.com kibana[197789]: {"type":"log","@timestamp":"2021-05-10T09:02:15Z","tags":["error","plugins","spaces"],"pid":197789,"message":"Unable to navigate to space \"default\". ResponseError: Response Error"}
May 10 11:02:15 hz-acc-elk02.mydomain.com kibana[197789]: {"type":"response","@timestamp":"2021-05-10T09:02:15Z","tags":[],"pid":197789,"method":"get","statusCode":401,"req":{"url":"/app/login?nextUrl=%2F","method":"get","headers":{"connection":"upgrade","host":"hz-acc-elk02.mydomain.com","cache-control":"max-age=0","sec-ch-ua":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"90\", \"Google Chrome\";v=\"90\"","sec-ch-ua-mobile":"?0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en;q=0.9"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"},"res":{"statusCode":401,"responseTime":50,"contentLength":9},"message":"GET /app/login?nextUrl=%2F 401 50ms - 9.0B"}
May 10 11:06:01 hz-acc-elk02.mydomain.com kibana[197789]: {"type":"log","@timestamp":"2021-05-10T09:06:01Z","tags":["error","elasticsearch","data"],"pid":197789,"message":"[ResponseError]: Response Error"}
May 10 11:06:01 hz-acc-elk02.mydomain.com kibana[197789]: {"type":"log","@timestamp":"2021-05-10T09:06:01Z","tags":["error","plugins","spaces"],"pid":197789,"message":"Unable to navigate to space \"default\". ResponseError: Response Error"}
May 10 11:06:01 hz-acc-elk02.mydomain.com kibana[197789]: {"type":"response","@timestamp":"2021-05-10T09:06:01Z","tags":[],"pid":197789,"method":"get","statusCode":401,"req":{"url":"/app/login?nextUrl=%2F","method":"get","headers":{"connection":"upgrade","host":"hz-acc-elk02.mydomain.com","cache-control":"max-age=0","sec-ch-ua":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"90\", \"Google Chrome\";v=\"90\"","sec-ch-ua-mobile":"?0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"},"res":{"statusCode":401,"responseTime":56,"contentLength":9},"message":"GET /app/login?nextUrl=%2F 401 56ms - 9.0B"

I tried to double check the documentation steps and for other people with same error, but unfortunately haven’t found much that helped.

I have also adjusted the config.yml to match my LDAP setup but for now I’m not even able to login in Kibana with admin, so that’s why I’m using admin credentials on kibana for testing purposes…

Can anyone advice on what I’m missing here? Unfortunately I cannot use the OpenDistro of Elasticsearch, because we rely on the heartbeat, and from what I tested won’t work due to the different licenses.

Thanks in advance.

2

@sidineycrescencio
I would recommend to remove the ldap config while testing this, until you get a working instance of kibana.

Couple of questions
Did you install plug in for kibana (as well as elasticsearch)?
Did you disable spaces in kibana.yml file ( xpack.spaces.enabled: false)
(make sure to restart kibana after any changes to yml file)

If yes to above, can you share your config.yml file, please redact any sensitive details.