Hi experts,
This is the first time I try to configure Open Distro with LDAP. I have done it before with XPath.
I did all the configuration in config.yml as following and LDAP as well, but I’m getting error:
[2020-12-07T17:36:53,577][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [ubuntu-VirtualBox] Unable to connect to ldapserver openldap:389 due to [org.ldaptive.provider.ConnectionException@787625818::resultCode=INVALID_CREDENTIALS, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials], providerException=javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]]. Try next.
[2020-12-07T17:36:53,577][WARN ][c.a.o.s.a.BackendRegistry] [ubuntu-VirtualBox] Authentication finally failed for linus from 127.0.0.1:35654
I think the password encrypted by Open Distro doesn’t match the way it is encrypted in OpenLDAP. It is my guess.
I encrypted the password in OpenLDAP with the command:
slappasswd -h {SHA} -s my_secret_password
The openLDAP LDIF:
dn: dc=portoseguro,dc=BR
objectClass: dcObject
objectClass: organization
objectClass: top
dc: portoseguro
o: portoseguro.BRdn: cn=admin,dc=portoseguro,dc=BR
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: top
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9MWNZNFB0a01uT015dTllNnZFQUJPQnZyeW4vTzk3cWg=dn: ou=people,dc=portoseguro,dc=BR
objectClass: organizationalUnit
objectClass: top
ou: Peopledn: uid=john,ou=people,dc=portoseguro,dc=BR
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
cn: John Dee
gidNumber: 10001
givenName: John
homeDirectory: /home/john
loginShell: /bin/bash
mail:
sn: Dee
uid: john
uidNumber: 10001
userPassword:: e1NIQX1wUjNhZkgvMUMySHE2Z1JFTng5S2FwTUI1UUU9dn: uid=janet,ou=people,dc=portoseguro,dc=BR
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
cn: Janet Jackson
gidNumber: 10000
givenName: janet
homeDirectory: /home/janet
loginShell: /bin/bash
mail:
sn: Jackson
uid: janet
uidNumber: 10000
userPassword:: e1NIQX0yU3dubDc4QXhwZGdjbXRGbmpiUmxCd3Ric2M9dn: uid=linus,ou=people,dc=portoseguro,dc=BR
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
cn: Linus Torvald
gidNumber: 10002
givenName: Linus
homeDirectory: /home/linus
loginShell: /bin/bash
mail:
sn: Torvald
uid: linus
uidNumber: 10002
userPassword:: bGludXM=dn: uid=kibanaserver,ou=people,dc=portoseguro,dc=BR
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
cn: kibanaserver
gidNumber: 10003
givenName: kibanaserver
homeDirectory: /home/kibanaserver
loginShell: /bin/bash
sn: kibanaserver
uid: kibanaserver
uidNumber: 10003
userPassword:: e1NTSEF9SWRzS1NlUnJTK0xJREx3ckFkUnJQei91M0phVGNwbmI=dn: ou=grouprole,dc=portoseguro,dc=BR
objectClass: organizationalUnit
objectClass: top
ou: Groups
ou: grouproledn: cn=elastic.user,ou=grouprole,dc=portoseguro,dc=BR
objectClass: groupOfNames
objectClass: top
cn: elastic.user
description: “Grupo dos Usuarios do Elasticsearch”
member: uid=john,ou=people,dc=portoseguro,dc=BR
member: uid=janet,ou=people,dc=portoseguro,dc=BRdn: cn=elastic.admin,ou=grouprole,dc=portoseguro,dc=BR
objectClass: groupOfNames
objectClass: top
cn: elastic.admin
description: “Grupo dos Administradores do Elasticsearch”
member: uid=linus,ou=people,dc=portoseguro,dc=BRdn: cn=kibana_read_only,ou=grouprole,dc=portoseguro,dc=BR
objectClass: groupOfNames
objectClass: top
cn: kibana_read_only
description: “Grupo dos Usuarios Kibana”
member: uid=kibanaserver,ou=people,dc=portoseguro,dc=BR
The Open Distro config.yml
_meta:
type: “config”
config_version: 2config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
internal_auth:
order: 0
description: “HTTP basic authentication using the internal user database”
http_enabled: true
transport_enabled: true
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
ldap_auth:
order: 1
description: “Authenticate using LDAP”
http_enabled: true
transport_enabled: true
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- openldap:389
bind_dn: cn=readonly,dc=example,dc=org
password: changethistoo
userbase: ou=People,dc=example,dc=org
usersearch: (cn={0})
username_attribute: cnauthz: ldap_roles: description: "Authorize using LDAP" http_enabled: true transport_enabled: true authorization_backend: type: ldap config: enable_ssl: false enable_start_tls: false enable_ssl_client_auth: false verify_hostnames: true hosts: - openldap:389 bind_dn: cn=admin,dc=portoseguro,dc=BR password: admin userbase: ou=people,dc=portoseguro,dc=BR usersearch: (uid={0}) username_attribute: cn skip_users: - admin - kibanaserver rolebase: ou=grouprole,dc=portoseguro,dc=BR rolesearch: (member={0}) userroleattribute: null userrolename: disabled rolename: cn resolve_nested_roles: false
Thank you,
Samuel Lima