I have created a client TLS certificate and enabled clientcert authentication.
How is the authentication_backend configured to map the CN in the certificate to a user?
I have created new certificates, configured them in elasticsearch.yml and added the new Root CA to /etc/ssl/certs/ca-certificates.crt using update-ca-certifiactes and tested that the client cretificate is valid.
I am attempting to connect to Elasticsearch from Python using the Elasticsearch module but get:
elasticsearch.exceptions.AuthenticationException: AuthenticationException(401, ‘Unauthorized’)
when attemting to connect with:
es = Elasticsearch([{‘host’: ‘192.168.0.10’, ‘port’: ‘9200’}],
scheme=“https”,
use_ssl=True,
ssl_assert_hostname=False,
client_cert=‘client.cert’,
client_key=‘client.key’,
ca_certs=‘/etc/ssl/certs/ca-certificates.crt’
)
es.info()
I am assuming this is because the TLS CN name is not mapped to a user/role.
My config is:
clientcert_auth_domain:
description: “Authenticate via SSL client certificates”
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: internal
Regards,
Ben