Ldap & AD SSL config and truststore

Security
1

Hi,
I have OD setup on kubernetes using:

  • Open Distro Security Admin v7
  • opendistro-for-elasticsearch:1.12.0
  • opendistro-for-elasticsearch-kibana:1.12.0

The structure is as follows:
1x opendistro-es-client pod
1x opendistro-es-kibana pod
3x opendistro-es-data pods
3x opendistro-es-master pods

OD is up and running and I can log in with admin and my mounted configmap after running securityadmin.sh. I am trying to get LDAP working using SSL to connect to my MS AD server and I get complaints about wanting to use ‘opendistro_security.ssl.transport.truststore_filepath’

I have attempted to create a truststore but it then breaks the local user login. My questions are as follows:

  1. Which service do you configure the ldap config on (client, kibana data nodes or master nodes or all). I only want kibana to auth against ldap for login and not mess up inter node certs/pem
  2. Do you need authc and authz
  3. Must you use a truststore to auth against AD

The errors I am seeing in the logs are as follows:
Unable to connect to ldapserver ldap.example.com:636 due to ElasticsearchException[Empty file path for opendistro_security.ssl.transport.truststore_filepath]. Try next.
Authentication finally failed for user@example.com from 10.40.xx.yy:55158

Here are my config files:
config.yml: (currently on opendistro-es-client pod)

config:
dynamic:
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ldap.example.com:636
bind_dn: “CN=s_ldap_auth_opendist,OU=Generic,OU=ServiceAccounts,OU=Users,OU=Anzo,DC=corp,DC=example,DC=com”
password: “mypassword”
userbase: ‘OU=Anzo,DC=corp,DC=example,DC=com’
usersearch: ‘(sAMAccountName={0})’
username_attribute: sAMAccountName

elasticsearch.yml:

cluster.name: “elasticsearch”
network.host: 0.0.0.0
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de
    opendistro_security.audit.type: internal_elasticsearch
    opendistro_security.enable_snapshot_restore_privilege: true
    opendistro_security.check_snapshot_restore_write_privileges: true
    opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
    opendistro_security.system_indices.enabled: true
    opendistro_security.system_indices.indices: [“.opendistro-alerting-config”, “.opendistro-alerting-alert*”, “.opendistro-anomaly-results*”, “.opendistro-anomaly-detector*”, “.opendistro-anomaly-checkpoints”, “.opendistro-anomaly-detection-state”, “.opendistro-reports-", ".opendistro-notifications-”]
    cluster.routing.allocation.disk.threshold_enabled: false
    node.max_local_storage_nodes: 3

If you need any other config files, please let me know. The documentation around SSL to AD and how to create a truststore is very vague and incomplete in my opinion. Any help would be much appreciated.

Regards
Darrell

2

Just as an update, my kibana config has environment overides and is pointing to the es-client service as its source of info:

3

Hi,
I seem to have fixed this to a certain degree. Login is now possible. I created a file called “create_truststore.sh” and mounted this file as config/create_truststore.sh

mountPath: /usr/share/elasticsearch/config/create_truststore.sh
name: create-truststore
subPath: create_truststore.sh

I then added a lifecycle update on podstart as follows:
lifecycle:
postStart:
exec:
command: [“/usr/bin/bash”, “-c”, “/usr/share/elasticsearch/config/create_truststore.sh”]

and mounted a configmap: (with permissions)
name: create-truststore
configMap:
name: create-truststore
defaultMode: 0777

The truststore.sh file in the configmap is as follows:
data:
create_truststore.sh: |-
/usr/bin/yum install openssl -y

cd /usr/share/elasticsearch/config

openssl s_client -connect ldap.example.com:636 < /dev/null |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/share/elasticsearch/config/ldap.example.com.crt

/opt/jdk/bin/keytool -genkey -alias truststore -keyalg RSA -keystore /usr/share/elasticsearch/config/truststore.jks -dname "CN=Mark Smith, OU=JavaSoft, O=Sun, L=Cupertino, S=California, C=US" -storepass changeit -keypass changeit -validity 10000

/opt/jdk/bin/keytool -import -file /usr/share/elasticsearch/config/ldap.example.com.crt -alias myldap -keystore truststore.jks -storepass changeit -noprompt

This has fixed it and upon pod restart this will apply the truststore

I hope this helps anyone else that may experience a similar issue.

Regards