Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch cluster aws - 2.3
OpenSearch Dashboard - 2.3.0-1
Describe the issue:
Install on rhel8 rpm package opensearch-dashboards 2.3.0-1
connect to enpoint cluster with internal user
I put the ldap configuration in various places, for example
- /usr/share/opensearch-dashboards/plugins/securityDashboards/config/config.yml
- /etc/opensearch-dashboards/config/config.yml
but when restart and test to connect get this message in syslog
{“type”:“log”,“@timestamp”:“2023-02-06T14:04:10Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:250579,“message”:“Failed authentication: Error: Authentication Exception”}
not a single line was noticed in the logs so that the domain was accessed
domain - microsoft ad 2019
Folder /var/log/opensearch-dashboards/ - empty
Configuration:
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos
challenge: true
config:
krb_debug: false
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
description: "Authenticate via SSL client certificates"
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- dc01.rk.com:389
- dc02.rk.com:389
bind_dn: 'CN=srv_123,OU=Service Accounts,OU=it,DC=rk,DC=com'
password: 'pass'
users:
1-userbase:
base: 'CN=administrator 123,OU=Users,OU=It,DC=rk,DC=com'
search: '(sAMAccountName={0})'
username_attribute: 'cn'
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- dc01.rk.com:389
- dc02.rk.com:389
bind_dn: 'CN=srv_123,OU=Service Accounts,OU=it,DC=rk,DC=com'
password: 'pass'
users:
1-userbase:
base: 'CN=administrator 123,OU=Users,OU=It,DC=rk,DC=com'
search: '(sAMAccountName={0})'
username_attribute: 'cn'
roles:
all_access:
base: 'CN=es_users,OU=it,DC=rk,DC=com'
search: '(member={0})'
userroleattribute: null
userrolename: memberOf, SamAccountName
rolename: "cn"
resolve_nested_roles: false
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
Relevant Logs or Screenshots:
user-input[250581]: [root; 250436:/home/adm; 0:" 2184 2023-02-06T17:03:47: systemctl restart opensearch-dashboards.service; "]
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:56Z”,“tags”:[“info”,“plugins-service”],“pid”:250579,“message”:“Plugin "wizard" is disabled.”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:56Z”,“tags”:[“info”,“plugins-service”],“pid”:250579,“message”:“Plugin "visTypeXy" is disabled.”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:56Z”,“tags”:[“warning”,“config”,“deprecation”],“pid”:250579,“message”:“"opensearch.requestHeadersWhitelist" is deprecated and has been replaced by "opensearch.requestHeadersAllowlist"”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:56Z”,“tags”:[“warning”,“config”,“deprecation”],“pid”:250579,“message”:“"opensearch_security.basicauth.login.title" is deprecated and has been replaced by "opensearch_security.ui.basicauth.login.title"”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:57Z”,“tags”:[“info”,“plugins-system”],“pid”:250579,“message”:“Setting up [46] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,anomalyDetectionDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,queryWorkbenchDashboards,notificationsDashboards,bfetch,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,observabilityDashboards,discover,savedObjectsManagement]”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:57Z”,“tags”:[“info”,“savedobjects-service”],“pid”:250579,“message”:“Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations…”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:57Z”,“tags”:[“info”,“savedobjects-service”],“pid”:250579,“message”:“Starting saved objects migrations”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:57Z”,“tags”:[“info”,“plugins-system”],“pid”:250579,“message”:“Starting [46] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,anomalyDetectionDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,queryWorkbenchDashboards,notificationsDashboards,bfetch,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,observabilityDashboards,discover,savedObjectsManagement]”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:58Z”,“tags”:[“listening”,“info”],“pid”:250579,“message”:“Server running at http:__0.0.0.0:5601”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:03:58Z”,“tags”:[“info”,“http”,“server”,“OpenSearchDashboards”],“pid”:250579,“message”:“http server running at http:__0.0.0.0:5601”}
opensearch-dashboards[250579]: {“type”:“log”,“@timestamp”:“2023-02-06T14:04:10Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:250579,“message”:“Failed authentication: Error: Authentication Exception”}
opensearch-dashboards[250579]: {“type”:“response”,“@timestamp”:“2023-02-06T14:04:10Z”,“tags”:,“pid”:250579,“method”:“post”,“statusCode”:401,“req”:{“url”:“/auth/login”,“method”:“post”,“headers”:{“host”:“log-collector:5601”,“connection”:“keep-alive”,“content-length”:“71”,“user-agent”:“Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36”,“osd-version”:“2.3.0”,“content-type”:“application/json”,“accept”:“/”,“origin”:“http:__log-collector:5601”,“referer”:“http:__log-collector:5601/app/login?”,“accept-encoding”:“gzip, deflate”,“accept-language”:“ru-RU,ru;q=0.9”},“remoteAddress”:“10.100.1.75”,“userAgent”:“Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36”,“referer”:“http:__log-collector:5601/app/login?”},“res”:{“statusCode”:401,“responseTime”:168,“contentLength”:9},“message”:“POST /auth/login 401 168ms - 9.0B”}