Hello Everyone
I want to setup Opendistro or opensearch with Active Directory as per the Dcoument and Articale I tried to Configure config.yml but no luck so can you help how can i achive this step by step.
Hi, maybe you can try to post your config files (without sensitive information).
Thi
_meta:
type: “config”
config_version: 2
config:
dynamic:
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
internal_users_domain:
description: "ElasticSearch Internal Users Database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
mycompany_local_ad_domain:
description: "MyCompany Active Directory"
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- X.X.X.X:636
#connect_timeout in milliseconds. How long does it take the server to respond
connect_timeout: 3000
#response_timeout in milliseconds. If 2FA is used, set to to value that gives users enough time to respond
response_timeout: 30000
bind_dn: 'CN=dharmin,OU=Service Accounts,OU=Users and Groups,DC=dharmin,DC=com'
password: password
userbase: 'OU=Users and Groups,DC=dharmin,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: sAMAccountName
authz:
mycompany_local_ad:
description: "MyCompany AD Authorization Sources"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- X.X.X.X:636
bind_dn: 'CN=dharmin,OU=Users,OU=Users and Groups,DC=dharmin,DC=com'
password: password
#Disable use of custom_attribute_names
custom_attr_maxval_len: 1
userbase: 'OU=Users and Groups,DC=dharmin,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
#usersearch: '(uid={0})'
usersearch: '(sAMAccountName={0})'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolebase: 'OU=Users and Groups,DC=dharmin,DC=com'
rolesearch: '(member={1})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
#rolename: name
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
Getting this error after above configuration add
For me, you have a problem with :
username_attribute: sAMAccountName
It means you have to type in the login the domain name (based on my understanding)
But in the log, you only type your username:
"dhamrin@dharmin.com"
I think you should set it as :
username_attribute: "cn"
And your username to login would then : dharmin. (if it’s what you want)
I also think you can modify the authorization part.
Mine looks like that :
userbase: "dc=domain,dc=com"
usersearch: "(sAMAccountName={0})"
username_attribute: "cn"
rolesearch: "(member={0})"
rolename: "cn"
resolve_nested_roles: true
skip_users:
- "kibanaserver"
Can you send your role and role mappings configuration files ?
Can you send the OpenSearch Dashboard login screen failure ? So I can see if it’s related to the missing link with tenant/role mapping.
This IS final config.yml I did changes as you suggested.
_meta:
type: “config”
config_version: 2
config:
dynamic:
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
internal_users_domain:
description: "ElasticSearch Internal Users Database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
mycompany_local_ad_domain:
description: "MyCompany Active Directory"
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- x.x.x.x:636
#connect_timeout in milliseconds. How long does it take the server to respond
connect_timeout: 3000
#response_timeout in milliseconds. If 2FA is used, set to to value that gives users enough time to respond
response_timeout: 30000
bind_dn: 'CN=dharmin,OU=Service Accounts,OU=Users and Groups,DC=dharmin,DC=com'
password: password
userbase: "DC=dharmin,DC=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(sAMAccountName={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
mycompany_local_ad:
description: "MyCompany AD Authorization Sources"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- x.x.x.x:636
bind_dn: 'CN=dharmin,OU=Users,OU=Users and Groups,DC=dharmin,DC=com'
password: password
#Disable use of custom_attribute_names
custom_attr_maxval_len: 1
userbase: DC=dharmin,DC=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
#usersearch: '(uid={0})'
usersearch: "(sAMAccountName={0})"
username_attribute: "cn"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolebase: 'OU=Users and Groups,DC=dharmin,DC=com'
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
#rolename: name
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- "kibanaserver"
- "cn=Michael Jackson,ou*people,o=TEST"
- "/\S*/"
This is roles_mappings.yml
_meta:
type: “rolesmapping”
config_version: 2
Define your roles mapping here
Demo roles mapping
all_access:
reserved: false
backend_roles:
- “admin”
description: “Maps admin to all_access”
own_index:
reserved: false
users:
- “*”
description: “Allow full access to an index named like the username”
logstash:
reserved: false
backend_roles:
- “logstash”
kibana_user:
reserved: false
backend_roles:
- “kibanauser”
description: “Maps kibanauser to kibana_user”
readall:
reserved: false
backend_roles:
- “readall”
manage_snapshots:
reserved: false
backend_roles:
- “snapshotrestore”
kibana_server:
reserved: true
users:
- “kibanaserver”
After did changes as you suggested getting same error
You can’t use your email to login if your CN (Common Name) in LDAP/AD is dharmin, it should be cn=dharmin@dharmin.com then?
If you want to login with email, you should set your username_attribute as something different, not CN.
mail for example ?
username_attribute: mail
And did you set backend role to dharmin in your LDAP ?
And set your role mapping ?
Hello I will try to set this pls give me brief discription I have to install LDAP
I can not setup with AD directly if not please share setup step .
And did you set backend role to dharmin in your LDAP ? - NO
And set your role mapping ? NO
You want to connect OpenSearch to Active Directory.
To connect you need 2 configurations part.
First authentication (authc)
Secondly authorization (authz)
Here, you can see your authc is failing (invalid username or password)
So you need to fix this part first.
What are your roles related to the dharmin user ? (the ones set in your AD)
Then you have to create a role or a role mapping, and there you add backend_role the role you are going to search for (in authz part)
For example, with this Guest user :
This usersearch parameter works if I type “Guest” or “guest”
usersearch: "(sAMAccountName={0})"
so for your configuration I guess you want something like this
usersearch: "(mail={0})"
If you can post one of your entry in your AD, it would be easier.
Like your dharmin account, so I can help you on the settings. (Hide sensitive information of course)
Hi I try to find from Powershell
and dharmin user is created as admin so there is no ristriction but if we try to setup with AD it should take automatically passwrod from AD why it is not login with AD user name and password ?
It is.
Just use dharmin then in login form, not dharmin@dharmin.com
Your sAMAccountName seems to be dharmin not email address
No Luck
This is Config Yml
_meta:
type: “config”
config_version: 2
config:
dynamic:
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
internal_users_domain:
description: "ElasticSearch Internal Users Database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
mycompany_local_ad_domain:
description: "MyCompany Active Directory"
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- x.x.x.x:636
#connect_timeout in milliseconds. How long does it take the server to respond
connect_timeout: 3000
#response_timeout in milliseconds. If 2FA is used, set to to value that gives users enough time to respond
response_timeout: 30000
bind_dn: 'CN=users,DC=dharmin,DC=com'
password: password
userbase: "CN=Users,DC=dharmin,DC=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(sAMAccountName={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
mycompany_local_ad:
description: "MyCompany AD Authorization Sources"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- x.x.x.x:636
bind_dn: 'CN=users,DC=dharmin,DC=com'
password: password
#Disable use of custom_attribute_names
custom_attr_maxval_len: 1
userbase: CN=Users,DC=dharmin,DC=com
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
#usersearch: '(uid={0})'
usersearch: "(sAMAccountName={0})"
username_attribute: "cn"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolebase: 'OU=Users and Groups,DC=dharmin,DC=com'
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
#rolename: name
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- kibanaserver
- "cn=Michael Jackson,ou*people,o=TEST"
- "/\S*/"
Do you have an account named “users” ?
You set it in bind_dn.
This parameter is the DN of the account you use to connect to AD. OpenSearch has to connect to your AD, so you need bind_dn and password.
I think bind_dn should be like your first config file :
bind_dn: 'CN=dharmin,OU=Service Accounts,OU=Users and Groups,DC=dharmin,DC=com'
password: password
userbase: "DC=dharmin,DC=com"
It means you connect as ‘dharmin’ user to the AD (stated in hosts parameter on port 636) with password (‘password’) and you are looking into the subtree “DC=dharmin,DC=com” (userbase)
It’s easier to use 2 different accounts if you are lost with the configuration.
So you can differentiate the parameters related to the account for connecting with AD and the parameters related to the login, authentication system.
Same error
I have to enter real password or only password word ?
You have to enter the real password of “dharmin” user to link AD to your OpenSearch security plugin.
Have you checked your AD port ?
Yes AD port is working but above error is comming after entering real user (dharmin) and real password of that user still issue is same.
I mean did you set password in your config.yml file as the real password ?
And not just ‘password’ 
Don’t forget to push the modifications to your cluster with the script.