LDAP login doesnt work

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch 2.18.0
opensearch-dashboards 2.18.0
Server: Debian 12 , packages installed by apt

Describe the issue:
Followed the documentation, but LDAP is not enabled as authentication source.
On page " Authentication and authorization" the “ldap” domain is disabled on htttp and transport as well “http type” is “basic” and “http challenge” is “false”, “backend type” is “ldap”
On authorization , both “roles_from_another_ldap” and “roles_from_myldap” is completely disabled, both backend type is “ldap”.

The configuration show no options for LDAP, the login screen show no option for LDAP login.

There is a logstash server that collects and send the logs to the opensearch. Nobody wants to query and add logs via curl or other CLI tools. ONLY LOGSTASH send logs in.
The users are in AD, all member of a specific group.
The goal is the users member of the specified group can log in to OPENSEARCH-DASHBOARD with the AD login, NOT to Opensearch API-s or other stuff.
That is not working, no feedback on the dashboard interface.
Logging in with AD user gives standard " Invalid username or password. Please try again."

Configuration:
/etc/opensearch/opensearch-security/config.yml




_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
   ...
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
    ...
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 5
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: true
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - ad1:636
            - ad2:636
            bind_dn: _opensearch_user
            password: "password_removed"
            userbase: "DC=company,DC=local"
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: 'sAMAccountName'
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: true
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: false
            hosts:
            - ad1:636
            - ad2:636
            bind_dn: _opensearch_user
            password: "password_removed"
            rolebase: "CN=opensearch_loginz,OU=groups,DC=company,DC=local"
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            # userrolename: disabled
            userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'DC=company,DC=local'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'
            # Skip users matching a user name, a wildcard or a regex pattern
            #skip_users:
            #  - 'cn=Michael Jackson,ou*people,o=TEST'
            #  - '/\S*/'

/etc/opensearch-dashboard/

opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false
opensearch_security.auth.type: basicauth
opensearch_security.auth.multiple_auth_enabled: true

Relevant Logs or Screenshots:
[WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for aduser1 from 10.10.10.10:12345

Thank you for your help!

2

Same error for me and i have no idea how to resolve that.

3

Looking at my config which is working for auth against AD the difference I see is for authc and authz with ldap I have:

        http_enabled: true
        transport_enabled: true

Set to false for both params.
Additionally - I do have:

        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern

Set under authc to enable service accounts for things like logstash kibana etc to not hit AD and use the internal opensearch auth instead.

Oddly for dashboards I do not have

opensearch_security.auth.type: basicauth
opensearch_security.auth.multiple_auth_enabled: true

Set in my config.

Also, there wont be an option to auth via LDAP or basic from the UI perspective. It will try the autchc configds based on the order parameter and after the first fails it proceeds to the next iirc.

4

Hi all,

@repasp it looks like you’re trying to use SSL but have yet to list any cert in your authc or authz for use. This will be needed for company.local.

Could you confirm if company.local is local testing? or it is part of an orgs internal domain.

Lets first test to see if you can get connectivity to AD, and if the AD user is working. Could you test the following two, and send back the output please:

Test if ldap user is working:

curl --insecure -u <ldap_user>:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

Also please run ldapsearch and share the output.

Thanks.

5

Hey @abarocco,

I see you solved your issue with Pablo, that’s good to hear. (LDAP Not Working - #8 by abarocco)

@repasp are you still having an issue or have you managed to get your setup working?