¿Security with RPM?

Hi,

it’s posible to actívate the advanced security in the RPM versión of the distro? For example, the Active Directory and LDAP authentication and authorization it’s only explained on the Docker versión.

https://opendistro.github.io/for-elasticsearch-docs/docs/security/ldap/

Thanks a lot.

Hello Orion !
I think your question is the same as sirfraz.
You should read the documentation, It describes how to configure the config.yml to enable LDAP authentication (authc) & authorization (authz). It works for RPM installation !

Hope I helped
Thi

HI, @ThibaudF thanks for the responde.

But, where are the documentation to configure it on the RPM distribution of the distro? I don’t found it.

Thanks a lot.

Hello !
For RPM distribution, I did this way, not sure it’s the best way :sweat_smile: :

Just install ODfE RPMs.
You can find the security plugin configuration files here :
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig

The one for you is config.yml.
In authc part, you have the LDAP configuration for authentication (Be able to authenticate to elasticsearch/kibana).
In authz part, you have the LDAP configuration for authorization (Permissions for users).

 ldap:
        http_enabled: false
        transport_enabled: false
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
              - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: null

Change each paramaters to your LDAP configuration.
Some example :

 ldap:
        http_enabled: true
        transport_enabled: false
        order: 5
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            verify_hostnames: true
            # Here you can use 389 or 3268 (Better 3268 or you will have some errors)
            hosts:
              - LDAPSERVER.com:3268
            bind_dn: "cn=admin,ou=Users,dc=example,dc=org"
            password: "LDAPpassword"
            # Here is where to find your users accounts, you can just put the general base
            userbase: "dc=example,dc=org"
            usersearch: '(sAMAccountName={0})'
            # Put cn if you want to login with username, null if you want full Distinguish Name. "cn=user1,dc=example,dc=org"
            username_attribute: "cn"

Don’t forget to change the auhz part too, but I can’t help on this, I never tried.
Then run the securityadmin.sh script.

chmod +x /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh

/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem -icl -nhnv -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig

Your security plugin is then updated and you can login with LDAP.
And documentation can help you.

Hope I was clear enough !
Thi