LDAP Authentication: Not able to login; no Permissions for User

Security
1

Good evening,

I have read a lot of posts here with very similar problems but unfortunately none of them could help me. I am trying to login to OpenSearch with my LDAP credentials. My config.yml looks like this:

  ldap:
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: ldap
      config:
        enable_ssl: true
        pemtrustedcas_filepath: '/path/to/opensearch/config/my-ca.pem'
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
                - my-ldap-host.de:636
        bind_dn: "cn=xxx,ou=xxx,ou=xxx,ou=Groups,ou=group,ou=xxx,dc=xxx,dc=de"
        password: xxxx
        userbase: "ou=xxx,dc=xxx,dc=de"
        usersearch: '(sAMAccountName={0})'
        username_attribute: cn
authz:
  ldap:
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap
      config:
        enable_ssl: true
        pemtrustedcas_filepath: '/path/to/opensearch/config/my-ca.pem'
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
                - my-ldap-host:636
        bind_dn: "cn=xxx,ou=xxx,ou=xxx,ou=Groups,ou=group,ou=xxx,dc=xxx,dc=de"
        password: xxxx
        userbase: "ou=xxx,dc=xxx,dc=de"
        usersearch: '(sAMAccountName={0})'
        username_attribute: cn
        rolebase: 'OU=xxx,OU=xxx,OU=Groups,OU=group,OU=xxx,DC=xxx,DC=de'
        rolesearch: '(member={0})'
        userroleattribute: null
        userrolename: none
        rolename: "name"
        resolve_nested_roles: true
        #rolesearch_enabled: false
        skip_users:
                - kibanaserver
                - admin

In roles_mapping.yml I added the following to the all_access role:

all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "CN=xxx,OU=xxx,OU=xxx,OU=Groups,OU=group,OU=xxx,DC=xxx,DC=de"
  description: "Maps admin to all_access"

OpenSearch Dashboards accepted the role map:

all_access
all_access2350Ă—224 38.4 KB

But nevertheless I get an Invalid username or password error when I try to login with my LDAP credentials. Also when I try to get cluster health I get

"error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [cluster:monitor/health] and User [name=my-resolved-ldap-name, backend_roles=[xxx, xxx], requestedTenant=null]"
      }

This error suggests that somehow my credentials are read by Opensearch because my login name is resolved as my name saved in LDAP although I did not use it anywhere in Opensearch.

Does anyone have an idea what is wrong with my configuration?

I would be very thankful for a respond!

2

P.S.: The user exists in LDAP. I already tested login with the credentials in an Elasticsearch Cluster and this works.

3

@user2111 Could you try the following command?

curl --insecure -u <LDAP_USER> -XGET https://localhost:9200/_plugins/_security/authinfo?pretty

In response, you should get backend roles taken from AD. Since you’re using name as an attribute for the rolename

rolename: "name"

you’ll get only short names of the groups.

i.e.

image
image969Ă—218 22.5 KB

That will fail to match your role binding where you’ve configured dn as a backend role.
If you’d like to use dn instead, then you need to configure the below in your authz section.

rolename: "dn"

Then you’ll see the below output.

i.e.

image
image1216Ă—200 34 KB

2 Likes
4

Good afternoon @pablo ,
I changed the rolename to “dn” and got the same as you with that command:

{
  "user" : "User [name=my-name, backend_roles=[CN=xxx,OU=xxx,OU=xxx,OU=Groups,OU=group,OU=xxx,DC=xxx,DC=de, CN=xxx,OU=xxx,OU=xxx,OU=Groups,OU=group,OU=xxx,DC=xxx,DC=de], requestedTenant=null]",
  "user_name" : "my-name",
  "user_requested_tenant" : null,
  "remote_address" : "host:port",
  "backend_roles" : [
    "CN=xxx,OU=xxx,OU=xxx,OU=Groups,OU=group,OU=xxx,DC=xxx,DC=de",
    "CN=xxx,OU=xxx,OU=xxx,OU=Groups,OU=group,OU=xxx,DC=xxx,DC=de"
  ],
  "custom_attribute_names" : [
...
]
  "roles" : [
    "own_index",
    "all_access"
  ],
  "tenants" : {
    "admin_tenant" : true,
    "global_tenant" : true,
    "my-name" : true
  },

Now I can see the cluster health with my ldap user, so this is an improvement, thank you for that!
But still I cannot log in. Do I have to change also something else in my config?

5

To sum this up:
The connection to the LDAP server works, which was proved by the commands

curl --insecure -u my-ldap-user -XGET https://myhost:9200/_plugins/_security/authinfo?pretty

because I get an excepted response, i.e. given as above, and

curl -XGET https://myhost:9200/_cluster/health?wait_for_status=yellow&timeout=50s&pretty --insecure -u my-ldap-user

where I also get the cluster health information.
So my-ldap-user has the all_access role but still cannot log in to OpenSearch Dashboards. I get the error message " Invalid username or password, please try again" on Dashboards.

I really have no idea where the problem could be. Do I have to set something in OpenSearch Dashboards such that LDAP authentication is accepted?

6

I think I can add one more thing:

My OpenSearch Dashboards logs look like this:

dashboards
dashboards2878Ă—706 346 KB

The following is happening here: I log in with the fantasy name “test” and click the login button many times, nothing is happening except " Invalid username or password, please try again" and there comes "message":"Failed authentication: Error: Authentication Exception" in the logs.
The red line is where I logged in with my real username. The first two times when I click the log in button there is the error message " Invalid username or password, please try again" in Dashboards and this is logged as "message":"Failed authentication: Error: Authentication Exception". The third time I click the button the Dashboards page reloads with blank input space and the logs are "message":"Failed to resolve user tenant: Error: Failed authentication: Authentication Exception".
So something is happening but not correctly and for this reason I thought that maybe this is a problem with the OpenSearch Dashboards configuration.

7

@user2111 I have a question about this line below.

pemtrustedcas_filepath: '/path/to/opensearch/config/my-ca.pem'

Is this OpenSearch root CA or AD?

8

@user2111 Could you share your opensearch.yml and opensearch_dashboards.yml files?

9

Thank you very much for your respond @pablo .
The certificate my-ca.pem is for LDAP, the nodes and Dashboards are using root-ca.pem.
The relevant part of my OpenSearch yml for node1 looks like this:


cluster.initial_cluster_manager_nodes: ["node1", "node2", "node3"]
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
  - 'CN=ADMIN'
plugins.security.nodes_dn:
  - 'CN=node1'
  - 'CN=node2'
  - 'CN=node3'
plugins.security.system_indices.enabled: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

and the relevant part of my OpenSearch Dashboards yml looks like this:

opensearch.hosts: xxx
opensearch.ssl.verificationMode: certificate
opensearch.username: kibanaserver
opensearch.password: xxx
opensearch.requestHeadersAllowlist: [authorization, securitytenant]
server.ssl.enabled: true
server.ssl.certificate: /path/to/cert/client.pem
server.ssl.key: /path/to/cert/client-key.pem
opensearch.ssl.certificateAuthorities: /path/to/cert/root-ca.pem

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: true
10

To be more precise: I am using a three-node OpenSearch cluster which with three different hosts, OpenSearch Dashboards is on a forth host and LDAP is also on a different host. The three nodes and the Dashboards host are using root-ca.pem, node certificates and a client certificate. The LDAP server is using my-ca.pem as CA.
Maybe I have to somehow configure my-ca.pem also in Dashboards?

11

@user2111 You don’t need to provide an AD certificate in the opensearch_dashboards.yml config file.

I’ve got confused a little bit. In the following thread, you stated that LDAP authentication is working and now you need to assign the roles.

Could you confirm that?
Is it the same environment?

12

@pablo Good evening,
yes that is the same environment. I am sorry for the confusion with the vocabulary. The authentication is not working yet, what I meant to say is that the connection to the LDAP server is working.
I still cannot login, my current situation is as described in this thread.

13

So I have a very strange error.
The connection to the LDAP server is working. I know this because when I change some settings as the bind_dn or the password there is a connection error and now with this settings there is no connection error.
The role mapping is working since curl --insecure -u <LDAP_USER> -XGET https://localhost:9200/_plugins/_security/authinfo?prettygives me the correct roles. And I also have access to the cluster since cluster health with the <LDAP_USER> shows me the correct output.
But still the login with <LDAP_USER> in Dashboards is not working.

14

Hello,
just to have all the info.
Are the config.yml and roles_mapping.yml the only configs you pushed?

Were you able to log in to OpenSearch Dashboards with the internal admin user?

I would imagine that the cause of this issue is a problem with the internal kibanaserver user, since OpenSearch Dashboards connects to OpenSearch with that user.

My second thought is that you need to restart the OpenSearch Dashboards service. I know this is very unlikely, but could you please try this?

15

Hello @vi4life,
thank you very much for your respond.

I am able to log in to Dashboards with my admin user and with my kibanaserver user.

I restarted Dashboards but it did not change the issue.

I load all config files that are in the config directory with securityadmin.sh but config.yml and roles_mapping.yml are the only two where I made changes, the others are in default configuration.

What do you think could the problem with the kibanaserver user be and how could I solve this?

16

Then maybe the kibanaserver user is not the problem.
I had a similar problem. I changed the default password of the Kibanaserver user, edited the password in the dashboards configuration, but did not restart the dashboards so I could not log in.

Could you please provide the log from the OpenSearch server that the OpenSearch dashboards is trying to connect to?
Maybe a simple reinstallation will help. Or maybe the version of the Dashboard and OpenSearch do not match. Recently version 2.2.1 was released, maybe the dashboard is newer or older than the other components.

17

@user2111 Based on your previous responses, OpenSearch Dashboards is not an issue as you can log in with a local user.
OpenSearch’s security plugin handles LDAP authentication and there is no need for extra configuration in OpenSearch Dashboards.

You’ve mentioned that you have 3 nodes cluster. Maybe the issue is in one of your nodes.
Please try to log in from OpenSearch Dashboards with LDAP user and collect logs from all three OpenSearch nodes.
Also check /etc/hosts on all three nodes against the DC.

Alternatively, try to replace the FQDN of your AD with an IP address in config.yml and see if that resolves the issue.

18

Hello @pablo ,

I am sorry for the late respond. This comment of yours seems very interesting. I tried

<LDAP_USER> -XGET https://localhost:9200/_plugins/_security/authinfo?pretty

with the ip of the other nodes and I get the respond Unauthorized. So as you suspected this could be a sign that I have to configure something on the other nodes.

Do you have an idea what exactly I would have to do?

I thought the config files only have to be changed on one node and then initialized with securityadmin.sh only on one node.

19

@user2111 You’re correct. The config has to be applied once with one of the nodes and it will apply to all nodes in the cluster.
The reason why I was asking you to check each node was to test connectivity to the LDAP server - name resolution.

Could you confirm that you can resolve my-ldap-host.de on each node?

Also, try to execute the below command from each node.

env LDAPTLS_REQCERT=never ldapsearch -b "dc=xxx,dc=de" -H ldaps://my-ldap-host.de:636 -D "<bind_dn>" -w "<password>"
1 Like
20

@pablo Thank you very much. After trying

env LDAPTLS_REQCERT=never ldapsearch -b "dc=xxx,dc=de" -H ldaps://my-ldap-host.de:636 -D "<bind_dn>" -w "<password>"

I discovered that ldap-utils was not installed on the other two nodes. After installing it I ran the command again and I can confirm that I can reach the ldap server from every node.
Also I restarted Opensearch on every node and ran securityadmin.sh again on one node.
Still I get an Unauthorized when I run
<LDAP_USER> -XGET https://localhost:9200/_plugins/_security/authinfo?pretty
on the two nodes where I did not run securityadmin.sh and still the same respond on the one node.

What do you exactly mean by this?