Opensearch-security config.yml config ignored

OpenSearch
1

Hello,

I’ve just read a lot of topic with the almost same problem than me but can’t fix it…

I’m using opensearch and opensearch-dashboards v2.11.1 both.

I think I put correct config but ldap still not working when I try to log into opensearch-dashboard or with curl command. I also noticed that in opensearch-dashboard in Security > Authentication, the authentication type list isn’t the same as in my file. Event the HTTP or Transport settings are differents. Also, if I rename my config.yml in config.old nothing happen, like the file is completely ignored.

Here is my config file :

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      internal_auth:
        order: 0
        description: "HTTP basic authentication using the internal user database"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      ldap_auth:
        order: 1
        description: "Authenticate using LDAP"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - myldapserver.local:389
            bind_dn: cn=user1,ou=users,dc=myldapserver,dc=local
            password: xxxx (password of the user user1)
            userbase: ou=users,dc=myldapserver,dc=local
            usersearch: (cn={0})
            username_attribute: cn

    authz:
      ldap_roles:
        description: "Authorize using LDAP"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - myldapserver.local:389
            bind_dn: cn=user1,ou=users,dc=myldapserver,dc=local
            password: xxxx (password of the user user1)
            userbase: ou=users,dc=myldapserver,dc=local
            usersearch: (cn={0})
            username_attribute: cn
            skip_users:
              - admin
              - kibanaserver
            rolebase: ou=roles,dc=myldapserver,dc=local
            rolesearch: (uniqueMember={0})
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: false

Anyone can help please ?

Thank you !!!

2

Hi @Mercurochrome7,

Could you please run the below command and share the output:
(note: blank all sensitive information)


curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/securityconfig?pretty

Thnaks,
mj

3

Hi @Mantas and thank you for your reply !!

I tried this command and it’s send me the default config (not the one I configure in /etc/opensearch/opensearch-security/config.yml)

{
  "config" : {
    "dynamic" : {
      "filtered_alias_mode" : "warn",
      "disable_rest_auth" : false,
      "disable_intertransport_auth" : false,
      "respect_request_indices_options" : false,
      "kibana" : {
        "multitenancy_enabled" : true,
        "private_tenant_enabled" : true,
        "default_tenant" : "",
        "server_username" : "kibanaserver",
        "index" : ".kibana"
      },
      "http" : {
        "anonymous_auth_enabled" : false,
        "xff" : {
          "enabled" : false,
          "internalProxies" : "192\\.168\\.0\\.10|192\\.168\\.0\\.11",
          "remoteIpHeader" : "X-Forwarded-For"
        }
      },
      "authc" : {
        "jwt_auth_domain" : {
          "http_enabled" : false,
          "transport_enabled" : false,
          "order" : 0,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "jwt",
            "config" : {
              "signing_key" : "base64 encoded HMAC key or public RSA/ECDSA pem key",
              "jwt_header" : "Authorization",
              "jwt_clock_skew_tolerance_seconds" : 30
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via Json Web Token"
        },
        "ldap" : {
          "http_enabled" : false,
          "transport_enabled" : false,
          "order" : 5,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "ldap",
            "config" : {
              "enable_ssl" : false,
              "enable_start_tls" : false,
              "enable_ssl_client_auth" : false,
              "verify_hostnames" : true,
              "hosts" : [
                "localhost:8389"
              ],
              "userbase" : "ou=people,dc=example,dc=com",
              "usersearch" : "(sAMAccountName={0})"
            }
          },
          "description" : "Authenticate via LDAP or Active Directory"
        },
        "basic_internal_auth_domain" : {
          "http_enabled" : true,
          "transport_enabled" : true,
          "order" : 4,
          "http_authenticator" : {
            "challenge" : true,
            "type" : "basic",
            "config" : { }
          },
          "authentication_backend" : {
            "type" : "intern",
            "config" : { }
          },
          "description" : "Authenticate via HTTP Basic against internal users database"
        },
        "proxy_auth_domain" : {
          "http_enabled" : false,
          "transport_enabled" : false,
          "order" : 3,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "proxy",
            "config" : {
              "user_header" : "x-proxy-user",
              "roles_header" : "x-proxy-roles"
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via proxy"
        },
        "clientcert_auth_domain" : {
          "http_enabled" : false,
          "transport_enabled" : false,
          "order" : 2,
          "http_authenticator" : {
            "challenge" : false,
            "type" : "clientcert",
            "config" : {
              "username_attribute" : "cn"
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          },
          "description" : "Authenticate via SSL client certificates"
        },
        "kerberos_auth_domain" : {
          "http_enabled" : false,
          "transport_enabled" : false,
          "order" : 6,
          "http_authenticator" : {
            "challenge" : true,
            "type" : "kerberos",
            "config" : {
              "krb_debug" : false,
              "strip_realm_from_principal" : true
            }
          },
          "authentication_backend" : {
            "type" : "noop",
            "config" : { }
          }
        }
      },
      "authz" : {
        "roles_from_another_ldap" : {
          "http_enabled" : false,
          "transport_enabled" : false,
          "authorization_backend" : {
            "type" : "ldap",
            "config" : { }
          },
          "description" : "Authorize via another Active Directory"
        },
        "roles_from_myldap" : {
          "http_enabled" : false,
          "transport_enabled" : false,
          "authorization_backend" : {
            "type" : "ldap",
            "config" : {
              "enable_ssl" : false,
              "enable_start_tls" : false,
              "enable_ssl_client_auth" : false,
              "verify_hostnames" : true,
              "hosts" : [
                "localhost:8389"
              ],
              "rolebase" : "ou=groups,dc=example,dc=com",
              "rolesearch" : "(member={0})",
              "userrolename" : "disabled",
              "rolename" : "cn",
              "resolve_nested_roles" : true,
              "userbase" : "ou=people,dc=example,dc=com",
              "usersearch" : "(uid={0})"
            }
          },
          "description" : "Authorize via LDAP or Active Directory"
        }
      },
      "auth_failure_listeners" : { },
      "do_not_fail_on_forbidden" : false,
      "multi_rolespan_enabled" : true,
      "hosts_resolver_mode" : "ip-only",
      "do_not_fail_on_forbidden_empty" : false
    }
  }
}
4

@Mercurochrome7 you are welcome!

To apply changes you will need to follow the instructions here:

Applying changes to configuration files - OpenSearch Documentation

the command sample:

./securityadmin.sh -f /usr/share/opensearch/config/opensearch-security/config.yml -icl -nhnv -cert ../../../config/kirk.pem -cacert ../../../config/root-ca.pem -key ../../../config/kirk.key -t config

Let me know if you have any questions or if something is unclear.

Best,
mj

5

Yes I tried too, but I’m not sure I understand well this step. Do I have to use those files anyway or do I need to use different cert if I want to use certificate from my ldap server ?

I get this message :

**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to xxxxxx:9200 ... done
Connected as "CN=kirk,OU=client,O=client,L=test,C=de"
ERR: "CN=kirk,OU=client,O=client,L=test,C=de" is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:
plugins.security.authcz.admin_dn:
  - ""CN=kirk,OU=client,O=client,L=test,C=de""

And in my opensearch.yml I have the default security config but just changed “plugins.security.authcz.admin_dn” with my information but don’t seems to be applied

6

Can you share your opensearch.yml file?

have you rebooted your nodes after updating your nodes’ config files??

Best,
mj

7

Here it is :

node.name: mynode
path.data: /share/data
path.repo: ["/share/repo"]
network.host: x.x.x.x
http.port: 9200
cluster.initial_cluster_manager_nodes: ["mycluster"]

plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: 
  - "CN=admin,DC=mydomain,DC=com"

plugins.security.audit.type: debug
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]
node.max_local_storage_nodes: 3

I I just tried to reboot but still the same.

8

You will need to add - ""CN=kirk,OU=client,O=client,L=test,C=de"" to plugins.security.authcz.admin_dn: or user cert with "CN=admin,DC=mydomain,DC=com" with DN.

Best,
mj

9

Ooooh okay it’s simple as that… I think I’m confused between ldap certificates and default opensearch certicate so I tried to put my domain information instead of the kirk information.

Now I can see in logs that my ldap request is received. I still have an error but it looks fine : Empty file path for plugins.security.ssl.transport.truststore_filepath. I will give it a try and be back if still need help or if it’s fine :slight_smile:

Thanks a lot !!! :smiley:

1 Like
10

It’s not a problem at all, glad to help and good luck with further set-up. If you get stuck, just share your config files, “the expected behaviour” and “the actual behaviour”.

best,
mj

11

Hello again !

I tried a few configuration with certificate.

First I got the “Empty file path for plugins.security.ssl.transport.truststore_filepath” error. When I put this in the config file :

Empty file path for plugins.security.ssl.transport.truststore_filepath: mycert.jks
Empty file path for plugins.security.ssl.transport.truststore_password: mypassword

The error isn’t here anymore even if I’m not sure of the truststore password… I will need to check this point.

Now I have the error : "Cannot authenticate rest user xxx (or add roles) with authdomain internal/0 of [AuthDomain........., try next"
[...]
Check authdomain for rest ldap/1 or 2 in total
Unable to connect to ldapserver xxxx due to java.io.EOFException. Try next.
Unable to connect to any of those ldap servers [xxxx] due to java.io.EOFException

I have to go but will try again tomorrow :slight_smile:

12

Hello,

It’s working !

My problem was that I tried to put my ldap certificate into the /etc/opensearch/opensearch.yml config file instead of opensearch-security/config.yml with :

...
authentication_backend:
  type: ldap
  config:
    pemtrustedcas_filepath: <location_of_my_ldap_certificate>
...

Thanks for helping me !!! :smiley:

Have a nice day !

1 Like
13

I am glad to hear that, Thanks for sharing your solution!

Best,
mj