Error: Empty file path for opendistro_security.ssl.transport.truststore_filepath

Security
1

Hello,

I cannot get the LDAP connection to work. When I start the Elasticsearch service the following entries are is in the log:
[2019-05-22T10:15:09,703][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [QOMiEqc] Unable to connect to ldapserver gtm-pureldap.mydomain.info:636 due to ElasticsearchException[Empty file path for opendistro_security.ssl.transport.truststore_filepath]. Try next.

I did the following configuration in the

  • elasticsearch.yml:

WARNING: revise all the lines below before you go into production

opendistro_security.ssl.transport.pemcert_filepath: /etc/elasticsearch/opendistro-test-all-fra11-1.crt
opendistro_security.ssl.transport.pemkey_filepath: /etc/elasticsearch/opendistro-test-all-fra11-1-pkcs8.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/ca_chain.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: /etc/elasticsearch/opendistro-test-all-fra11-1.crt
opendistro_security.ssl.http.pemkey_filepath: /etc/elasticsearch/opendistro-test-all-fra11-1-pkcs8.key
opendistro_security.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/ca_chain.pem
#opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
######## End OpenDistro for Elasticsearch Security Demo Configuration ########
opendistro_security.nodes_dn:

  • “CN=opendistro-test-
    opendistro_security.authcz.admin_dn:
  • “CN=admin,OU=MYUNIT,O=MYORG,L=DUS,ST=NRW,C=DE”
  • config.yml:

    my_ldap:
    enabled: true
    order: 1
    http_authenticator:
    type: basic
    challenge: true
    authentication_backend:
    type: ldap
    config:
    enable_ssl: true
    enable_start_tls: false
    enable_ssl_client_auth: false
    verify_hostnames: false
    pemtrustedcas_filepath: /etc/elasticsearch/ca_chain.pem
    hosts:
    - gtm-pureldap.mydomain.info:636
    bind_dn: cn=elastic,OU=serviceAccounts,OU=Elastic,OU=applicationManagement,DC=metrogroup,DC=net
    password: ********
    userbase: ‘DC=metrogroup,DC=net’
    usersearch: ‘cn={0}’
    username_attribute: uid

I also added additionally the line:
pemtrustedcas_filepath: /etc/elasticsearch/ca_chain.pem
But without success.

The cluster works with all nodes! Elasticsearch REST API works with internal user/pw admin/admin.

We have other clusters with X-Pack running where we use LDAP connection. Our x-pack configuration is:

xpack:
security:
authc:
realms:
native1:
type: native
order: 0
ldap1:
type: ldap
order: 1
url: “ldaps://gtm-pureldap.mydomain.info:636”
ssl:
certificate_authorities: [ “/etc/elasticsearch/x-pack/ca_chain.pem” ]
bind_dn: “cn=elastic,OU=serviceAccounts,OU=Elastic,OU=applicationManagement,DC=metrogroup,DC=net”
bind_password: **************
user_search:
base_dn: “DC=metrogroup,DC=net”
filter: cn={0}
group_search:
base_dn: “DC=metrogroup,DC=net”
files:
role_mapping: “/etc/elasticsearch/x-pack/role_mapping.yml”
unmapped_groups_as_roles: false

Can somebody help?

Many thanx in advance!

Martin

2

Any news? Got somebody LDAP connetion to work?

3

I was able to get the authentication part to work, but I haven’t gotten authorization using roles to work correctly. I also need to submit a bug report for the authc/authz, since when an ldap user logs out and a local user logs in the authorization is still using the ldap user credentials.

4

Although the documentation indicates that either a cert/key/trusted ca can be used, I’m not sure that’s the case. I added an explicit truststore and the authz started working immediately. It would be nice if someone from the open distro team would have weighed in on this issue. I will try find the time to file a bug on this part of the documentation.

5

How exactly did you add an explicit truststore? Thanks.

6

In the elasticsearch.yml, i added:
opendistro_security.ssl.transport.truststore.filepath. This was listed as optional, but for authorization it seems it is required.
https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/tls/#keystore-and-truststore-files

1 Like
7

Can someone from open distro team comment on this?
I am also struggling with this… I am using PEM certificate but still looks like ldap looking for truststore

opendistro_security.ssl.transport.pemtrustedcas_filepath: ...

Cannot it work with .PEM?

1 Like
8

In most cases, you can just point this at the default java truststore, usually at /etc/ssl/certs/java/cacerts
The only way I was able to make that work was to create a softlink to it, so it was available as a relative path under /etc/elasticsearch…

ln -s /etc/ssl/certs/java/cacerts /etc/elasticsearch/cacerts

opendistro_security.ssl.transport.truststore_filepath: cacerts
opendistro_security.ssl.transport.truststore_password: changeit

(changeit is usually the default password for the default truststore)

9

What ODFE version are you on?

10

@Martin

Did you find a solution to your problem? What is your LDAP provider?