Configuration for LDAPS

Hi,
I’m trying to enable ldaps communications but I can’t reach it.
Opendistro performs authentication and authorization by ldap, but if I look at the ldap log, i see that the request was done on port 389. In elastic logs, there are no info about the port or the protocol used. Could you please help me?

config.yml

    config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: clientcert
          challenge: true
        authentication_backend:
          type: intern
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        order: 5
        http_authenticator:
          type: clientcert
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
              - "ldaps://example.com:636"
            bind_dn: "cn=admin,dc=example,dc=com"
            password: "password"
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(sAMAccountName={0})'

authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: false
    authorization_backend:
      type: ldap
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        hosts:
          - "ldaps://example.com:636"
        bind_dn: "cn=admin,dc=example,dc=com"
        password: "admin"

elasticsearch.yml

cluster.name: "docker-cluster"
network.host: 0.0.0.0

opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: MyRootCA.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
node.name: nodo1
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node.pem
opendistro_security.ssl.http.pemkey_filepath: node-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: MyRootCA.pem
#opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
  - "CN=maintenance,OU=xxx,O=xxx,L=xxx,ST=xxx,C=xx"
opendistro_security.nodes_dn:
  - "CN=nodo1,OU=xxx,O=xxx,L=xxx,ST=xxx,C=xx"

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false

@amorsa there are two things I know are needed.

  1. In elasticsearch.yml, you will need opendistro_security.ssl.transport.truststore_filepath. Although this is listed as an alternate method, it appears that ldap authz requires it. - https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/tls/#keystore-and-truststore-files

  2. In your config.yml just use the hostname:port and not the protocol (ldaps://). The enable_ssl config item should be telling it to use ldaps.

      hosts:
        - ldap.example.com:636

@kiowajoe I can’t communicate with ldaps protocol also when creating new truststore:

I change my hosts in config.yml

 hosts:
        - ldap.example.com:636

I create a trustore with my CAcert pem file:

keytool -import -alias *mykey* -keystore truststore.jks -file MyRootCA.pem -trustcacerts

Then I change file permission:

chmod 0600 truststore.jks

Then I add to my elasticsearch.yml:

opendistro_security.ssl.transport.truststore_filepath: truststore.jks
opendistro_security.ssl.transport.truststore_password: xxx
opendistro_security.ssl.transport.truststore_alias: mykey
opendistro_security.ssl.http.truststore_filepath: truststore.jks
opendistro_security.ssl.http.truststore_password: xxx
opendistro_security.ssl.http.truststore_alias: mykey

When I launch my elasticsearch instance I can authenticate, but I can see in my openldap log , that I don’t use ldaps protocol, it communicate over 389 port:

example.com          | 5d6399df conn=1000 fd=12 ACCEPT from IP=172.20.0.4:50212 (IP=0.0.0.0:389)
example.com          | 5d6399df conn=1001 fd=13 ACCEPT from IP=172.20.0.4:50214 (IP=0.0.0.0:389)
example.com          | 5d6399df conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128

What am I do wrong?

Is the hosts correct in both the authc and authz ldap backends? I’ll have to validate that it is actually reaching ldaps in my environment. Is there any indicators in the elasticsearch logs about what it is doing on the authc/authz events?