Initial configuration LDAP without certificates opendistro-security-1.12.0.0

Hello,
I am using the opendistro-security-1.12.0.0 plugin for the first time. I just want to use it to connect to my ldap server, but I don’t know what minimum configurations I need to make it work without SSL connections, could someone tell me the steps to configure the plugin for kibana and elasticsearch and not have to use certificates through TLS layer?

Thanks

I recall the documentation being pretty good (and it have improved since I did my ldap configuration) Active Directory and LDAP - Open Distro for Elasticsearch Documentation . Configuring Open Distro to work with LDAP is 90% about understanding how LDAP works. Also Kibana does not care that you are using LDAP only Elasticsearch care.

Some other things that is good to understand (keep in mind) is the difference between “backend-roles” and “roles” and also the difference between authz and authc

1 Like

@jessualuq See example below with basic configuration for ldap (in this case I have my users in branch “Users” and roles is branch “GroupsNew” it extracts the relevant backend roles, which are then mapped to correct security roles in security index)

config:
  authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
      ldap:
          description: "Authenticate via LDAP or Active Directory"
          http_enabled: true
          transport_enabled: false
          order: 1
          http_authenticator:
            type: basic
            challenge: true
          authentication_backend:
            type: ldap
            config:
              enable_ssl: false
              enable_start_tls: false
              enable_ssl_client_auth: false
              verify_hostnames: false
              hosts:
                - <ldap_ip/host>
              bind_dn: <bind_db>
              password: <password>
              userbase: 'cn=Users,dc=local,dc=local'
              username_attribute: "sAMAccountName"
              usersearch: '(sAMAccountName={0})'

  authz:    
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
              - <ldap_ip/host>
            bind_dn: <bind_db>
            password: <password>
            rolebase: 'ou=GroupsNew,dc=local,dc=local'
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: disabled
            resolve_nested_roles: false
            userbase: 'cn=Users,dc=local,dc=local'
            usersearch: '(sAMAccountName={0})'

You can run ldapsearch tool against ldap server from one of the nodes to ensure it works as expected, command below might be a good starting point:

ldapsearch -H ldap://<ldap_ip> -D <bind_dn> -W -b "cn=Users,dc=local,dc=local" "(sAMAccountName=<user_in_question>)"

1 Like

Thank you very much for your answers, they have been very useful, but it does not solve the question completely.
My question is if I can just use the security plugin to connect to my ldap server, I only need it for this but lifting the container returns this to me:
"org.elasticsearch.ElasticsearchException: opendistro_security.ssl.transport.keystore_filepath or opendistro_security.ssl.transport.server.pemcert_filepath and opendistro_security.ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.
"

I have added in elasticsearch.yml the option:
“open distro security.ssl.http.enabled: false”
but it doesn’t seem to work, is there any way to disable transport layer and REST layer security?

@jessualuq
The TLS on transport layer is a must, the rest is optional, see minimum config for elasticsearch.yml below:

opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: false
opendistro_security.authcz.admin_dn:

  • CN=kirk,OU=node,O=node,L=test,DC=de

opendistro_security.nodes_dn:

  • “CN=node*.example.com,OU=node,O=node,L=test,DC=de”

opendistro_security.restapi.roles_enabled: [“all_access”]

In the above case kibana.yml file should be updated not to use https to communicate with elasticsearch.

Hope this helps

1 Like