Configuration for LDAPS

amorsa · August 23, 2019, 3:13pm

Hi,
I’m trying to enable ldaps communications but I can’t reach it.
Opendistro performs authentication and authorization by ldap, but if I look at the ldap log, i see that the request was done on port 389. In elastic logs, there are no info about the port or the protocol used. Could you please help me?

config.yml

    config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: clientcert
          challenge: true
        authentication_backend:
          type: intern
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        order: 5
        http_authenticator:
          type: clientcert
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
              - "ldaps://example.com:636"
            bind_dn: "cn=admin,dc=example,dc=com"
            password: "password"
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(sAMAccountName={0})'

authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: false
    authorization_backend:
      type: ldap
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        hosts:
          - "ldaps://example.com:636"
        bind_dn: "cn=admin,dc=example,dc=com"
        password: "admin"

elasticsearch.yml

cluster.name: "docker-cluster"
network.host: 0.0.0.0

opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: MyRootCA.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
node.name: nodo1
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node.pem
opendistro_security.ssl.http.pemkey_filepath: node-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: MyRootCA.pem
#opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
  - "CN=maintenance,OU=xxx,O=xxx,L=xxx,ST=xxx,C=xx"
opendistro_security.nodes_dn:
  - "CN=nodo1,OU=xxx,O=xxx,L=xxx,ST=xxx,C=xx"

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false

kiowajoe · August 24, 2019, 12:49pm

@amorsa there are two things I know are needed.

In elasticsearch.yml, you will need opendistro_security.ssl.transport.truststore_filepath. Although this is listed as an alternate method, it appears that ldap authz requires it. - https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/tls/#keystore-and-truststore-files
In your config.yml just use the hostname:port and not the protocol (ldaps://). The enable_ssl config item should be telling it to use ldaps.

      hosts:
        - ldap.example.com:636

https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/ldap/#complete-authentication-example

amorsa · August 26, 2019, 8:55am

@kiowajoe I can’t communicate with ldaps protocol also when creating new truststore:

I change my hosts in config.yml

 hosts:
        - ldap.example.com:636

I create a trustore with my CAcert pem file:

keytool -import -alias *mykey* -keystore truststore.jks -file MyRootCA.pem -trustcacerts

Then I change file permission:

chmod 0600 truststore.jks

Then I add to my elasticsearch.yml:

opendistro_security.ssl.transport.truststore_filepath: truststore.jks
opendistro_security.ssl.transport.truststore_password: xxx
opendistro_security.ssl.transport.truststore_alias: mykey
opendistro_security.ssl.http.truststore_filepath: truststore.jks
opendistro_security.ssl.http.truststore_password: xxx
opendistro_security.ssl.http.truststore_alias: mykey

When I launch my elasticsearch instance I can authenticate, but I can see in my openldap log , that I don’t use ldaps protocol, it communicate over 389 port:

example.com          | 5d6399df conn=1000 fd=12 ACCEPT from IP=172.20.0.4:50212 (IP=0.0.0.0:389)
example.com          | 5d6399df conn=1001 fd=13 ACCEPT from IP=172.20.0.4:50214 (IP=0.0.0.0:389)
example.com          | 5d6399df conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128

What am I do wrong?

kiowajoe · August 27, 2019, 4:17pm

Is the hosts correct in both the authc and authz ldap backends? I’ll have to validate that it is actually reaching ldaps in my environment. Is there any indicators in the elasticsearch logs about what it is doing on the authc/authz events?

pablo · May 21, 2021, 12:10pm

Hello @amorsa

Have you solved this issue?

Topic		Replies	Views
Initial configuration LDAP without certificates opendistro-security-1.12.0.0 Security	4	447	May 20, 2021
Cant manage to setup ldap Open Source Elasticsearch and Kibana	3	385	March 13, 2021
Need some configuration for the LDAP with the ODFE 7.10.2 version Security	7	652	August 25, 2021
Ldap & AD SSL config and truststore Security	2	1179	January 20, 2021
LDAP Connection Not Working Security	12	1748	April 8, 2021

Configuration for LDAPS

Related Topics