[Solved] Unable to log in with LDAP after upgrade to 3.3

rcz · October 24, 2025, 6:42am

I can connect from the server, like so:

$ ldapwhoami -vvv -D <admin_dn> -x -W
ldap_initialize(  )
Enter LDAP Password:
u:<admin_dn>
Result: Success (0)

Here’s my security config.yml

---
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    kibana:
      multitenancy_enabled: true
      server_username: kibanaserver
    do_not_fail_on_forbidden: true
    http:
      anonymous_auth_enabled: false
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: "basic"
          challenge: true
        authentication_backend:
          type: "intern"
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "clientcert"
          config:
            username_attribute: "CN"
          challenge: false
        authentication_backend:
          type: "noop"
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        order: 3
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "ldap"
          config:
            pemtrustedcas_filepath: "/etc/opensearch/certs/ca.pem"
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - "REDACTED:636"
            bind_dn: "CN=REDACTED"
            password: "REDACTED"
            userbase: "OU=Users,DC=int,DC=REDACTED"
            usersearch: "(sAMAccountName={0})"
            username_attribute: "sAMAccountName"
    authz:
      roles_from_my_ldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        authorization_backend:
          type: "ldap"
          config:
            pemtrustedcas_filepath: "/etc/opensearch/certs/ca.pem"
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - "REDACTED:636"
            bind_dn: "CN=REDACTED,CN=Users,DC=int,DC=REDACTED"
            password: "REDACTED"
            userrolename: "memberOf"
            rolename: "cn"
            resolve_nested_roles: false
            rolesearch_enabled: false
            userbase: "OU=Users,DC=int,DC=REDACTED"
            usersearch: "(sAMAccountName={0})"
            skip_users:
            - "rpa"
            - "testuser"
            - "monitor"
            - "kibanaserver"

I used this config all the way since Elasticsearch OSS, to ODFE, then OpenSearch, with minor changes. And again, it worked fine until the final server (and Dashboards) was updated.

Any help is greatly appreciated!

EDIT: I should mention, it seems authentication works fine as it reports wrong password. I only reach the Missing Role page after logging in correctly.

Topic		Replies	Views
LDAP login does not work after upgrade from 2.19.1 to 3.1.0 Security	9	123	July 8, 2025
LDAP Authentication: Not able to login; no Permissions for User Security	21	2788	October 5, 2022
Problem with setup ldap in configuration opensearch - cluster on aws, opensearch-dashboard - onpremise Security troubleshoot , configure	2	581	March 3, 2023
User lost permissions after LDAP connection error Security	1	590	April 12, 2021
LDAP integration with OPENSEARCH Security security-issue	14	1317	May 9, 2024

[Solved] Unable to log in with LDAP after upgrade to 3.3

Related topics