Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.6
Describe the issue :
I would like to know if I could use the opensearch keystore to store the bind password for a domain user instead of using environment variables.
I tried these commands using the opensearch-keystore command, it does not translate the variables to the actual values stored in the keystore.
export OPENSEARCH_JAVA_OPTS="--enable-native-access=ALL-UNNAMED"
/usr/share/opensearch/bin/opensearch-keystore add LDAP_USWIN_BIND_PASSWORD
config.yml.
password: "${keystore.LDAP_USWIN_BIND_PASSWORD}"
With environment variables, the variable gets translated to values. That’s not the case with keystore, it remains the same.
Thanks
Murali
pablo
May 13, 2026, 5:56pm
2
@muraliv Currently, OpenSearch security plugin supports environmental variables as an alternative to clear-text passwords in the config.yml. The security plugin can’t read opensearch. keystore.
opened 05:33PM - 26 Jan 24 UTC
enhancement
Security
triaged
### Is your feature request related to a problem? Please describe
When integrat… ing LDAP with OpenSearch for authentication, the password to authenticate to your LDAP server is set in cleartext in */etc/opensearch/opensearch-security/config.yml* file. It is possible to protect the file in the system to prevent unauthorized access but the information can be viewed in opensearch-dashboard.
### Describe the solution you'd like
A solution to this issue would be to use *opensearch-keystore* to hide the credentials.
The following options need to be secured: **bind_dn** and **password**.
### Related component
Other
### Describe alternatives you've considered
We tried using environment variables to hide the password but it did not work.
### Additional context
Steps to reproduce:
From the opensearch-dahsboard, go to security tab then Authentication, and click on view expression, it shows the service account password that was used in clear text.
