Opensearch LDAPs certificate

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:

Hello community, I am trying to configure OpenSearch with LDAPS. I have exported the certificate from the Active Directory and then converted it to PEM using the command openssl x509 -inform DER -in ldaps_cert.cer -out ldaps_cert.pem . Afterwards, I added it to the opensearch.yml file as shown in the configuration below:

Configuration:

ash-4.2# cat opensearch.yml

cluster.name: docker-cluster

Bind to all interfaces because we don’t know what IP address Docker will assign to us.

network.host: 0.0.0.0

# minimum_master_nodes need to be explicitly set when bound on a public IP

# set to 1 to allow single node clusters

discovery.zen.minimum_master_nodes: 1

Setting network.host to a non-loopback address enables the annoying bootstrap checks. “Single-node” mode disables them again.

discovery.type: single-node

######## Start OpenSearch Security Demo Configuration ########

WARNING: revise all the lines below before you go into production

plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: ldap_cert.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath:esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de
  • CN=dc_name-WIN-DC-CA,DC=dc_name,DC=lab
    plugins.security.audit.type: internal_opensearch
    plugins.security.enable_snapshot_restore_privilege: true
    plugins.security.check_snapshot_restore_write_privileges: true
    plugins.security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
    plugins.security.system_indices.enabled: true
    plugins.security.system_indices.indices: [“.plugins-ml-model”, “.plugins-ml-task”, “.opendistro-alerting-config”, “.opendistro-alerting-alert*”, “.opendistro-anomaly-results*”, “.opendistro-anomaly-detector*”, “.opendistro-anomaly-checkpoints”, “.opendistro-anomaly-detection-state”, “.opendistro-reports-", ".opensearch-notifications-”, “.opensearch-notebooks”, “.opensearch-observability”, “.opendistro-asynchronous-search-response*”, “.replication-metadata-store”]
    node.max_local_storage_nodes: 3
    ######## End OpenSearch Security Demo Configuration ########
2

@Keo Could you confirm that this case is a duplicate of Opensearch certificate ?