Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.1.14
Describe the issue:
Having enabled LDAPS to an active directory LDAP Server via port 636, is working nicely - BUT: when I was checking network traffic to doublecheck that opensearch is really connecting to the server, I could not see any traffic so far. Just if I enter bad credentials, this is transmitted,
My question is here - how is this working? Is there a caching for usernames and passwords? Because I can logon without any communication to the ldap server. This is a security issue, because if the password gets changed, it is still possible to logon with the wrong password…?
Configuration:
_meta:
type: “config”
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: “basic”
challenge: true
authentication_backend:
type: “intern”
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
connect_timeout: 5000
response_timeout: 5000
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
pemtrustedcas_filepath: /etc/opensearch/lms-ca.pem
hosts:
- remote-server:636
bind_dn: …
password: anypass
userbase: …
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: name
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
connect_timeout: 5000
response_timeout: 5000
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
pemtrustedcas_filepath: /etc/opensearch/lms-ca.pem
hosts:
- remote-server:636
bind_dn: …
password: anypass
rolebase: …
rolesearch: ‘(member={0})’
userroleattribute: null
userrolename: none
username_attribute: name
rolename: CN
resolve_nested_roles: true
userbase: …
usersearch: ‘(sAMAccountName={0})’
skip_users:
- kibanaserver
Kind regards
Chris.