Opensearch ldaps

@Scarecrow What roles do you get when you run the below command?

curl --insecure -u <ldap_user> -XGET https://<OpenSearch_node>:9200/_plugins/_security/authinfo?pretty

I get this as result:
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

Which is strange since i can log in via my ldap credentials and i’m using 2 times the same cert.pem for both authc and authz in my config.yml.

If i log in via my ldap credentials and look at my roles (right top corner) I just have access to my “own_index” and zero backend roles. So seems my role mapping is not correct (which is contradicted by the ad group which is in the all_access role next to the admin user)

@Scarecrow

Try changing:

rolesearch: memberOf

to:

rolesearch: "(member={0})"

@Scarecrow

You can also comment out or remove the below section from authz only.

  userbase: 'cn=xx,dc=xxx,dc=xxxl'
  usersearch: '(mail={0})'
  username_attribute: cn

@pablo I can confirm that did the trick!

for future reference the ldap authentication/config.yml config:

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      internal_auth:
        order: 0
        description: "HTTP basic authentication using the internal user database"
        http_enabled: true
        transport_enabled: false
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal
      ldap_auth:
        order: 1
        description: "Authenticate using LDAP"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: ldap
          config:
            enable_ssl: true
            pemtrustedcas_filepath: "cert.pem"
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
            - xxxxxx:636
            bind_dn: 'CN=x,OU=x,OU=x,DC=x,DC=x'
            password: 'xxxxx'
            userbase: 'OU=x,OU=x,OU=x,OU=x,DC=xx,DC=x'
            usersearch: '(mail={0})'
            username_attribute: null
    authz:
      ldap_roles:
        description: "Authorize using LDAP"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: true
            pemtrustedcas_filepath: "cert.pem"
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - xxxxx:636
            bind_dn: 'CN=x,OU=x,OU=x,DC=x,DC=x'
            password: 'xxxxx'
            skip_users:
              - "admin"
              - "kibanaserver"
            rolebase: 'OU=x,OU=x,OU=x,OU=x,DC=x,DC=x'
            rolesearch: "(member={0})"
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: true

On to actually starting to use/abuse the system now :slight_smile: