Unreliable enable_start_tls option for ldap authc module

Eugenie · June 14, 2022, 8:22am

Hello,

I’m trying to configure ldap authc module. If the ldap module is configured with enable_start_tls=true, authentication succed. But with tcpdump we can see that user names and passwords are transmitted over unencrypted connections.

With enable_ssl=true, connections are encrypted. But ldaps is deprecated in favor of startTLS.

I am running Open Distro Security Plugin v.1.12.0.0.

Do you have similar behavior? Any hints where to look?

Thanks in advance!

pablo · June 14, 2022, 10:13am

@Eugenie I’ve just tested startTLS in ODFE 1.13.2 and I could see my password. This looks like a bug in ODFE.

I’ve also checked OpenSearch 1.3.2 and 2.0.0 and my login and password were encrypted.

I suggest upgrading your ODFE cluster to OpenSearch.

Eugenie · June 16, 2022, 1:38pm

@pablo Thank you for the information !

Topic		Replies	Views
LDAP auth with STARTTLS not working Security	14	1636	September 27, 2021
LDAPS + tcpdump not showing traffic to AD Server Security configure	1	229	February 23, 2024
Initial configuration LDAP without certificates opendistro-security-1.12.0.0 Security	4	639	May 20, 2021
LDAP dont work over SSL Open Source Elasticsearch and Kibana	2	657	July 27, 2021
LDAP Authentication: Not able to login; no Permissions for User Security	21	2528	October 5, 2022

Unreliable enable_start_tls option for ldap authc module

Related topics