Cannot configure LDAPS with JumpCloud

Hey guys,

I have been trying to set up LDAPS with JumpCloud as the provider. The LDAP with port 389 (NO SSL/TLS) seems to be working but I cannot get it to work with SSL/TLS.
Below are my configuration files:

elasticsearch.yml :-

cluster.name: "td-cluster"
network.host: 0.0.0.0
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: tdes0.pem
opendistro_security.ssl.http.pemkey_filepath: tdes0.key
opendistro_security.ssl.http.pemtrustedcas_filepath: MyRootCA.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
  - "CN=admin,O=*removed for privacy*,L=Sydney,ST=New South Wales,C=AU"

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.ssl.transport.pemtrustedcas_filepath: /usr/share/elasticsearch/config/jumpcloud.chain.pem

securityconfig.yml:-

opendistro_security:                                                                                                                                                                                               
  dynamic:                                                                                                                                                                                                         
    kibana:                                                                                                                                                                                                        
      multitenancy_enabled: true                                                                                                                                                                                   
      server_username: kibanaserver                                                                                                                                                                                
      index: '.kibana'                                                                                                                                                                                             
      do_not_fail_on_forbidden: true                                                                                                                                                                               
    http:                                                                                                                                                                                                          
      anonymous_auth_enabled: false                                                                                                                                                                                
      xff:                                                                                                                                                                                                         
        enabled: false                                                                                                                                                                                             
        remoteIpHeader:  'x-forwarded-for'                                                                                                                                                                         
        proxiesHeader:   'x-forwarded-by'                                                                                                                                                                          

authc:                                                                                                                                                                                                         
  basic_internal_auth_domain:                                                                                                                                                                                  
      enabled: true                                                                                                                                                                                            
      order: 0                                                                                                                                                                                                 
      http_authenticator:                                                                                                                                                                                      
        type: basic                                                                                                                                                                                            
        challenge: false                                                                                                                                                                                       
      authentication_backend:                                                                                                                                                                                  
        type: internal                                                                                                                                                                                         
  ldap:                                                                                                                                                                                                        
    http_enabled: true                                                                                                                                                                                         
    transport_enabled: false                                                                                                                                                                                   
    order: 1                                                                                                                                                                                                   
    http_authenticator:                                                                                                                                                                                        
      type: "basic"                                                                                                                                                                                            
      challenge: false                                                                                                                                                                                         
    authentication_backend:                                                                                                                                                                                    
      type: "ldap"                                                                                                                                                                                             
      config:                                                                                                                                                                                                  
        enable_ssl: true                                                                                                                                                                                       
        enable_start_tls: false                                                                                                                                                                                
        enable_ssl_client_auth: false                                                                                                                                                                          
        verify_hostnames: true                                                                                                                                                                                 
        hosts:                                                                                                                                                                                                 
            - ldap.jumpcloud.com:636                                                                                                                                                                           
        bind_dn: "uid=*removed for privacy*,ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com"                                                                                                                        
        password: "*removed for privacy*"                                                                                                                                                                           
        userbase: "ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com"
        usersearch: "(uid={0})"
        username_attribute: "cn"
        pemtrustedcas_filepath: jumpcloud.chain.pem

authz:
  roles_from_myldap:
    http_enabled: true
    transport_enabled: false
    authorization_backend:
      type: ldap
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        hosts:
          - ldap.jumpcloud.com:636
        bind_dn: "uid="*removed for privacy*",ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com"
        password: "*removed for privacy*"
        rolebase: 'ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com'
        rolesearch: '(member={0})'
        userroleattribute: null
        userrolename: disabled
        rolename: "cn"
        resolve_nested_roles: true
        userbase: 'ou=Users,o=*removed for privacy*,dc=jumpcloud,dc=com'
        usersearch: '(uid={0})'
        pemtrustedcas_filepath: jumpcloud.chain.pem

When I look at the logs from elasticsearch, there is an error called
“org.elasticsearch.ElasticsearchException: opendistro_security.ssl.transport.keystore_filepath or opendistro_security.ssl.transport.pemkey_filepath must be set if transport ssl is reqested.”
but I donot seem to have any key or certificate from jumpcloud, just their CA authority certificate as mentioned at link : “https://support.jumpcloud.com/customer/en/portal/articles/2440898-jumpcloud-ldaps-ssl-certificate”.

Please help me resolve this. Thanks in advance. And Happy Weekends.

Regards,
Ashim Mahara

@aetter I am deeply sorry for pinging you but you helped me last time so can you please take a look at this ?

Sorry again.

Regards,
Ashim

Hi @ashim, no worries at all, but unfortunately I don’t think I can be of much help beyond the content of the error message. Every provider seems to do things a little bit differently and I don’t have any experience with JumpCloud. All I can suggest is to check the certificate format, try to track down other certificate files, update the YAML files, and keep reloading the security index as you change settings one at a time.

Hey @aetter, I understand. Can I ask you a few questions then? Can you please tell me what should the formats should the certificate be? Is it necessary for me to apply the settings with securityadmin.sh everytime I change something? Is it absolutely necessary for me to configure the truststore and keystore?

Hey @ashim, sure, so the certificates should be X.509 PEM and the keys in PKCS #8 format. Every time you change the files, you’ll need to update their details in elasticsearch.yml and restart the cluster. If you change opendistro_security/securityconfig/config.yml for any reason, then you’ll need to run securityadmin.sh to reload those settings into the security index.

If you’re using certificates, you don’t need the keystore and truststore. They’re an alternative to certificates. If you want to use them, they need to be in JKS or PKCS #12 format.

Hey @aetter, sorry to bother you again but is it necessary for me to setup node certificates for my scenario ?

If you have just one node in your cluster, then no. If you have multiple nodes, yeah, we recommend node certificates.

I started with a fresh docker setup and it worked! Thank you so much for your help. You guys are doing a wonderful work here. Cheers!

1 Like

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)