password is set in config.yml in both side authc and authz both side but the same issue and i am not getting your point about push the modifications to your cluster with the script.
You have to push the changes of config.yml file to the .opensearch security index.
Here you can find some explanations : https://opensearch.org/docs/latest/security-plugin/configuration/security-admin/
What bind_dn did you set ?
Can you post your config.yml file again ? without password or hide it
Configuration push using following command
./securityadmin.sh
-f …/securityconfig/config.yml
-icl -nhnv -cert /etc/elasticsearch/kirk.pem
-cacert /etc/elasticsearch/root-ca.pem
-key /etc/elasticsearch/kirk-key.pem
-t config
but still not working
This is my Currunt Config
_meta:
type: “config”
config_version: 2
config:
dynamic:
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
internal_users_domain:
description: "ElasticSearch Internal Users Database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
mycompany_local_ad_domain:
description: "MyCompany Active Directory"
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- x.x.x.x:636
#connect_timeout in milliseconds. How long does it take the server to respond
connect_timeout: 3000
#response_timeout in milliseconds. If 2FA is used, set to to value that gives users enough time to respond
response_timeout: 30000
bind_dn: 'CN=dharmin,OU=Service Accounts,OU=Users and Groups,DC=dharmin,DC=com'
password: password
userbase: "DC=dharmin,DC=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(sAMAccountName={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
mycompany_local_ad:
description: "MyCompany AD Authorization Sources"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- x.x.x.x:636
bind_dn: 'CN=dharmin,OU=Service Accounts,OU=Users and Groups,DC=dharmin,DC=com'
password: password
#Disable use of custom_attribute_names
custom_attr_maxval_len: 1
userbase: DC=dharmin,DC=com
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
#usersearch: '(uid={0})'
usersearch: "(sAMAccountName={0})"
username_attribute: "cn"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolebase: 'OU=Users and Groups,DC=dharmin,DC=com'
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
#rolename: name
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- kibanaserver
- "cn=Michael Jackson,ou*people,o=TEST"
- "/\S*/"
Do you still have incorrect username or password error ?
Maybe try to switch order of AD and internal_users_domain.
Put quotes around strings. (type: “basic”, type: “ldap”)
Maybe remove the connect_timeout settings for now or increase it.
Try to put all bind_dn in lower case ?
bind_dn: 'cn=dharmin,ou=Service Accounts,ou=Users and Groups,dc=dharmin,dc=com'
And maybe your bind_dn is not correct, if you check your Powershell output, your bind_dn should be :
bind_dn: 'cn=dharmin,cn=Users,dc=dharmin,dc=com'
No Luck Still Same Error
This is my Currunt Config change order execution in config.yml as per showing in kibana
config.yml
_meta:
type: “config”
config_version: 2
config:
dynamic:
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
internal_users_domain:
description: "ElasticSearch Internal Users Database"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: "basic"
challenge: true
authentication_backend:
type: intern
mycompany_local_ad_domain:
description: "MyCompany Active Directory"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: "basic"
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- x.x.x.x:636
#connect_timeout in milliseconds. How long does it take the server to respond
connect_timeout: 3000
#response_timeout in milliseconds. If 2FA is used, set to to value that gives users enough time to respond
response_timeout: 30000
bind_dn: 'cn=dharmin,cn=Users,dc=dharmin,dc=com'
password: password
userbase: "dc=dharmin,dc=com"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: "(sAMAccountName={0})"
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: "cn"
authz:
mycompany_local_ad:
description: "MyCompany AD Authorization Sources"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: "ldap"
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: false
hosts:
- x.x.x.x:636
bind_dn: 'cn=dharmin,cn=Users,dc=dharmin,dc=com'
password: password
#Disable use of custom_attribute_names
custom_attr_maxval_len: 1
userbase: dc=dharmin,dc=com
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
#usersearch: '(uid={0})'
usersearch: "(sAMAccountName={0})"
username_attribute: "cn"
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolebase: 'OU=Users and Groups,DC=dharmin,DC=com'
rolesearch: "(member={0})"
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: "cn"
#rolename: name
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
# Skip users matching a user name, a wildcard or a regex pattern
skip_users:
- kibanaserver
- "cn=Michael Jackson,ou*people,o=TEST"
- "/\S*/"
Your LDAP line is disabled so of course it doesn’t work.
What is the output of securtiy admin script when you push changes ?
Are you sure you can reach your Active Directory ?
Are you forced to use SSL ?
Try port 389 and disable SSL
You can check the settings by using Linux utility ldapwhoami
If you can make it works, then you will be able to extrapolate the settings into OpenSearch security config file.
You can also give it a try to ldapsearch
ldapsearch -H "ldap://x.x.x.x:636" -D "cn=dharmin,cn=Users,dc=dharmin,dc=com" -W -b "dc=dharmin,dc=com"
or without SSL
ldapsearch -H "ldap://x.x.x.x:389" -D "cn=dharmin,cn=Users,dc=dharmin,dc=com" -W -b "dc=dharmin,dc=com"
you mean to say I have to Install LDAP in elasticsearch machine ?
Yes you can install the tools and then delete them.
Seems like the password is wrong or whole credentials are wrong.
I can’t fix this for you without vision of your AD…
Then you bind_dn should be “cn=dharmin fadia,cn=Users,dc=dharmin,dc=com”
You have to make this command works before you can move on to OpenSearch configuration.
This is asking ldap password which I configure or my AD passwrod or it is my user password what passwrod is asking may be this is ldap password.
There is no LDAP password.
It’s the user password you use to request the LDAP.
This is why i told you it’s better to differentiate the account to link LDAP and the parameters for the logged in user.
this command is working
Then change your config.yml with the right bind_dn 
YES but still not working 
It’s normal
If your CN is “dharmin fadia” you have to login as “dharmin fadia”
You can try to look for another attribute in the AD, and use it instead of CN.
Maybe like mail
Fix this part :
usersearch: "(sAMAccountName={0})"
username_attribute: "cn"
Adapt to your needs…
With this settings
usersearch: “(sAMAccountName={0})”
username_attribute: “mail”
usersearch should be “(mail={0])”
Not sure it works.
Because right now, it still waits for “dharmin fadia”
username_attribute is the attribute you will use to pass for the authorization part, authz.
Here you are stating you will use the mail value of the user object.
Still Same issue 
What is your config file?
Authz part
You need to modify this part too