Opensearch connection error with LDAP server

Good evening,

I would like to enable authentication and authorization with LDAP and for this purpose I am following

I edited the config.yml file similarly as described there with my own credentials and with giving the path to another ca file as used in the nodes. Then I updated Opensearch by running securityadmin.sh. My hostname at config: hosts: has the form

config:
  hosts:
    - ldaps://example.de:636

I get a java.lang.NumberFormatException with this host. I also tried some variations and other variations give other errors, for example

config:
  hosts:
    - ldaps.example.de:636

throws an UnknownHostException and

config:
  hosts:
    - test.de:636

does not throw any error at all.
So my question would be what is wrong with the string as written in that format?

I would be very thankful for a respond!

Are you intending to use LDAPS - i.e. secure connection between the OpenSearch nodes and the AD server ? If so, please make sure you’re configuring the proper values for TLS.

Enabling TLS:

Using the proper CA cert (this would be the certificate of the CA that signed your AD server’s cert)

Hello,

yes I am using ssl. I think I solved the problem by using

        hosts:
          - my-ldap-host.de:636

without ldaps:// and just did not notice that the error is this time a different one.

My config look like this:

  ldap:
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: ldap
      config:
        enable_ssl: true
        pemtrustedcas_filepath: '/home/myhostname/opensearch-2.0.0/config/my-ca.pem'
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
                - my-ldap-host:636
        bind_dn: "xxxxx"
        password: xxxxx
        userbase: "xxxxx"
        usersearch: '(sAMAccountName={0})'
        username_attribute: null
authz:
  ldap:
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap
      config:
        enable_ssl: true
        pemtrustedcas_filepath: '/home/myhostname/opensearch-2.0.0/config/my-ca.pem'
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
                - my-ldap-host.de:636
        bind_dn: "xxxxx"
        password: xxxxxxx
        usersbase: "xxxx"
        usersearch: '(sAMAccountName={0})'
        username_attribute: null
        rolesearch_enabled: false
        skip_users:
                - kibanaserver
                - admin

Now I have the following problem when I am trying to log in with my ldap credentials

[WARN ][o.o.s.a.BackendRegistry  ] [node1] Authentication finally failed for Test from myhost:myport
[INFO ][o.o.a.t.RCFResultTransportAction] [node1] Serve rcf request for xxxx-someID-xxxx

The WARN comes when I try to login with a non-existing user named “Test” and the INFO with [o.o.a.t.RCFResultTransportAction] comes when I try to login with my real credentials. From this I conclude that this is somehow working but not quit.
Does anyone know what this message means?

@user2111 Are you getting authenticated with the LDAP user?

If the user doesn’t exist in the AD domain it will be challenged anyway.

If you’d like to remove the WARN message you should try to add this user to skip_uesrs in authc section of config.yml.

@Mussorgsky and @pablo Thank you very much for your respond.
I think the authentication works. I think the problem is that I don’t have permissions for the LDAP Users. For this I have to do a role mapping. I created a read-only role in Dashboards and an ldap-read-only user. When I go to the read-only role I have the column “Mapped user” where I have mapped my ldap-read-only-user.
Now, how does exactly the mapping to the LDAP server work? Do I have to write the bind_dn of the LDAP server into the backend role section? Is this enough?

Since I have not solved the problem yet but the title is not suitable any more I will start a new topic.