Need Urgent Help On LDAP Authentication

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch-2.12.0
Dashboard-2.12.0
RHEL-8.8
Microsoft Edge-128.0.2739.67

Describe the issue:
My cluster’s LDAP Authentication is not working, is there anything can be done? Any idea is appreciated, thanks. (I want to only implement LDAP Authentication, not the Authorization). I apply the changes by running securityadmin.sh and the change in configs can be seen in the Security section of my dashboard. I can ldapsearch via commandline also:

ldapsearch -H ldaps://myldapserver.mycompany.sth.st:1636 -D “uid=MYUID,ou=SomeUsers,dc=asd,dc=qwe” -w “*******” -b “dc=asd,dc=qwe” “(uid=MYUSERID)”

return of ldapsearch is successful

Configuration:

      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - ldaps://myldapserver.mycompany.sth.st:1636
            bind_dn: uid=MYUID,ou=SomeUsers,dc=asd,dc=qwe
            password: *******
            userbase: 'dc=asd,dc=qwe'
            usersearch: '(&(uid={0})(status=1)(objectClass=person))'
            username_attribute: uid

Relevant Logs or Screenshots:

I also applied this change in “config.yml” to all the nodes in the cluster and restarted all.

Hi @bugravibes,

It seems to be disabled at the moment.

Could you share the output of the following:

curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/securityconfig?pretty

Best,
mj

Hi, should I make them true?

this is the output of

curl --insecure -u adminuser:adminpassword -XGET https://COORDINATINGNODEIP:9200/_plugins/_security/api/securityconfig?pretty

{
  "config" : {
    "dynamic" : {
      "filtered_alias_mode" : "warn",
      "disable_rest_auth" : false,
      "disable_intertransport_auth" : false,
      "respect_request_indices_options" : false,
      "kibana" : {
        "multitenancy_enabled" : true,
        "private_tenant_enabled" : true,
        "default_tenant" : "",
        "server_username" : "kibanaserver",
        "index" : ".kibana"
      },
      "http" : {
        "anonymous_auth_enabled" : false,
        "xff" : {
          "enabled" : false,
          "internalProxies" : "192\\.168\\.0\\.10|192\\.168\\.0\\.11",
          "remoteIpHeader" : "X-Forwarded-For"
        }
      },
      "authc" : {
        "jwt_auth_domain" : {
          "http_enabled" : false,
          "order" : 0,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "jwt",
            "config" : {
              "signing_key" : "base64 encoded HMAC key or public RSA/ECDSA pem key",
              "jwt_header" : "Authorization",
              "jwt_clock_skew_tolerance_seconds" : 30
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via Json Web Token"
        },
        "ldap" : {
          "http_enabled" : true,
          "order" : 5,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "ldap",
            "config" : {
              "enable_ssl" : true,
              "enable_start_tls" : false,
              "enable_ssl_client_auth" : false,
              "verify_hostnames" : true,
              "hosts" : [
                "ldaps://myldapserver.mycompany.sth.st:1636"
              ],
              "bind_dn" : "uid=MYUID,ou=SomeUsers,dc=asd,dc=qwe",
              "password" : "*******",
              "userbase" : "dc=asd,dc=qwe",
              "usersearch" : "(&(uid={0})(status=1)(objectClass=person))",
              "username_attribute" : "uid"
            }
          },
          "description" : "Authenticate via LDAP or Active Directory"
        },
        "basic_internal_auth_domain" : {
          "http_enabled" : true,
          "order" : 4,
          "http_authenticator" : {
            "challenge" : true,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "intern",
            "config" : { }
          },
          "description" : "Authenticate via HTTP Basic against internal users database"
        },
        "proxy_auth_domain" : {
          "http_enabled" : false,
          "order" : 3,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "proxy",
            "config" : {
              "user_header" : "x-proxy-user",
              "roles_header" : "x-proxy-roles"
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via proxy"
        },
        "clientcert_auth_domain" : {
          "http_enabled" : false,
          "order" : 2,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "clientcert",
            "config" : {
              "username_attribute" : "cn"
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via SSL client certificates"
        },
        "kerberos_auth_domain" : {
          "http_enabled" : false,
          "order" : 6,
          "http_authenticator" : {
            "challenge" : true,
            "type" : "kerberos",
            "config" : {
              "krb_debug" : false,
              "strip_realm_from_principal" : true
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          }
        }
      },
      "authz" : {
        "roles_from_another_ldap" : {
          "http_enabled" : false,
          "authorization_backend" : {
            "type" : "ldap",
            "config" : { }
          },
          "description" : "Authorize via another Active Directory"
        },
        "roles_from_myldap" : {
          "http_enabled" : false,
          "authorization_backend" : {
            "type" : "ldap",
            "config" : {
              "enable_ssl" : false,
              "enable_start_tls" : false,
              "enable_ssl_client_auth" : false,
              "verify_hostnames" : true,
              "hosts" : [
                "localhost:8389"
              ],
              "rolebase" : "ou=groups,dc=example,dc=com",
              "rolesearch" : "(member={0})",
              "userrolename" : "disabled",
              "rolename" : "cn",
              "resolve_nested_roles" : true,
              "userbase" : "ou=people,dc=example,dc=com",
              "usersearch" : "(uid={0})"
            }
          },
          "description" : "Authorize via LDAP or Active Directory"
        }
      },
      "auth_failure_listeners" : { },
      "do_not_fail_on_forbidden" : false,
      "multi_rolespan_enabled" : true,
      "hosts_resolver_mode" : "ip-only",
      "do_not_fail_on_forbidden_empty" : false,
      "on_behalf_of" : {
        "enabled" : false
      }
    }
  }
}

@bugravibes, yes that is correct.

one more thing, according to the docs the hosts’ list does not contain a protocol it’s rather defined by authentication_backend.config.enable_ssl: true i.e:

        hosts:
          - ldap.example.com:636

Best,
mj

I did the changes you’ve offered and changed my config as:

 authc:
      ...
      ...
      ...
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - ldaps://myldapserver.mycompany.sth.st:1636
            - ldap://myldapserver.mycompany.sth.st:1636
            - myldapserver.mycompany.sth.st:1636
            bind_dn: uid=MYUID,ou=SomeUsers,dc=asd,dc=qwe
            password: *******
            userbase: 'dc=asd,dc=qwe'
            usersearch: '(&(uid={0})(status=1)(objectClass=person))'
            username_attribute: uid

I did not clearly understand the part about hosts but changed as

hosts:
            - ldaps://myldapserver.mycompany.sth.st:1636
            - ldap://myldapserver.mycompany.sth.st:1636
            - myldapserver.mycompany.sth.st:1636

to try all the possibilities but not working (updated all the config files in cluster and applied securityadmin.sh)

I just want to remind that I only get response from ldapsearch with: “ldaps://myldapserver.mycompany.sth.st:1636”
“ldap://myldapserver.mycompany.sth.st:1636” and “myldapserver.mycompany.sth.st:1636” does not work on getting ldap response

Thanks,
Best,
bgr

I resolved the issue, the problem was my ldap server requires certificates to access, so I provided

pemtrustedcas_filepath: “/path/to/certificates”

in my config.yml and the problem solved.

Thanks!