Opensearch not picking up LDAP configuration (altough displaying it in Dashboards)

Security
1

Hiho,

I’m trying to get LDAP authc running in k8s (App Version 1.3.1, Chart 1.10.0) but end up with a 401/unauthorized and no useful error/info in the logs even with debug enabled (basic auth with internal user database is working).
I’ve read a lot of ldap topics here and tried serveral modifications but nothing seems to work.
Even if I set wrong values and only enable ldap authc I can’t squeeze a single error line out of opensearch, it looks to me as it is just ignoring the settings altough they are visible in Dashboards (which sends back the 401 status code and {“type”:“log”,“@timestamp”:“2022-04-22T17:54:03Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:1,“message”:“Failed authentication: Error: Authentication Exception”}).

My current setup is:

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - my-ldap-ad:636
            bind_dn: cn=opensearch,ou=appuser,dc=mydc,dc=mydc2,dc=mydc3
            password: mypasswd
            userbase: ou=user,dc=mydc,dc=mydc2,dc=mydc3
            usersearch: '(sAMAccountName={0})'
            username_attribute: "sAMAccountName"

The bind_dn and PW is tested and OK → ldapsearch login successfull, curl can connect to the ldap server in the opensearch container and also on the host machine, the crendentials are working in another SW using the same ldap config.

curl --insecure -u admin -XGET https://localhost:9200/_opendistro/_security/authinfo?pretty is giving me correct values, with an ldap user I just receive 401 and I only can see the handshake in opensearch log.
With docker-compose setup I’m facing the same issues (gave it a shot with simple settings but same ldap conf).

Well is there any setting for Dashboards to get more logs (I’m already using logging.verbose: true) or does anyone have a suggestion for what I can look for?
Atm I’m pretty clueless :confused:

regards

1 Like
2

@chrismanynames Could you share the authz config?

3

I’m using the same credentials to connect, I’ve tried to limit the group search to one possible match (which works with ldapsearch) unfortunately no luck.

    authz:
      ldap_roles:
        description: Authorize via LDAP or Active Directory
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - my-ldap-ad:636
            bind_dn: cn=opensearch,ou=appuser,dc=mydc,dc=mydc2,dc=mydc3
            password: mypasswd
            userbase: ou=user,dc=mydc,dc=mydc2,dc=mydc3
            usersearch: '(sAMAccountName={0})'
            username_attribute: "sAMAccountName"
            rolebase: 'ou=usergroups,ou=user,dc=mydc,dc=mydc2,dc=mydc3'
            rolesearch: '(member={0})'
            userrolename: none
            rolename: cn
            resolve_nested_roles: false
4

I was able to get it running, after some tracing i figured out that my ldap server cert was not trusted (its certificate was issued by the same CA as opensearch itself which is trusted).
However i put the root ca path inside the config file and wow its working :wink:

          type: ldap
          config:
            pemtrustedcas_filepath: /usr/share/opensearch/config/ldaprootca.pem
            # enable ldaps
            enable_ssl: true
5

@chrismanynames If you use self-signed certificates you need to point them in the security plugin configuration.

6

My certs are all from the same custom CA (not self signed), according to the documentation I thought I only have to define my root certificate in the opensearch.yml but maybe I got something wrong.

plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: /usr/share/opensearch/config/node.pem
            pemkey_filepath: /usr/share/opensearch/config/node-key.pem
            pemtrustedcas_filepath: /usr/share/opensearch/config/ldaprootca.pem
7

@chrismanynames Is your custom CA signed by the commercial CA?

8

I’m facing the same issue, but adding pemtrustedcas_filepath does not appear to help. Why on earth is nothing being logged?

9

See also LDAP issue for AD integration. · Issue #777 · opensearch-project/security · GitHub

10

@opoplawski Could you open a new thread and share your config.yml file there?