Ldap & AD SSL config and truststore

Hi,
I have OD setup on kubernetes using:

  • Open Distro Security Admin v7
  • opendistro-for-elasticsearch:1.12.0
  • opendistro-for-elasticsearch-kibana:1.12.0

The structure is as follows:
1x opendistro-es-client pod
1x opendistro-es-kibana pod
3x opendistro-es-data pods
3x opendistro-es-master pods

OD is up and running and I can log in with admin and my mounted configmap after running securityadmin.sh. I am trying to get LDAP working using SSL to connect to my MS AD server and I get complaints about wanting to use ‘opendistro_security.ssl.transport.truststore_filepath’

I have attempted to create a truststore but it then breaks the local user login. My questions are as follows:

  1. Which service do you configure the ldap config on (client, kibana data nodes or master nodes or all). I only want kibana to auth against ldap for login and not mess up inter node certs/pem
  2. Do you need authc and authz
  3. Must you use a truststore to auth against AD

The errors I am seeing in the logs are as follows:
Unable to connect to ldapserver ldap.example.com:636 due to ElasticsearchException[Empty file path for opendistro_security.ssl.transport.truststore_filepath]. Try next.
Authentication finally failed for user@example.com from 10.40.xx.yy:55158

Here are my config files:
config.yml: (currently on opendistro-es-client pod)

config:
dynamic:
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- ldap.example.com:636
bind_dn: “CN=s_ldap_auth_opendist,OU=Generic,OU=ServiceAccounts,OU=Users,OU=Anzo,DC=corp,DC=example,DC=com”
password: “mypassword”
userbase: ‘OU=Anzo,DC=corp,DC=example,DC=com’
usersearch: ‘(sAMAccountName={0})’
username_attribute: sAMAccountName

elasticsearch.yml:

cluster.name: “elasticsearch”
network.host: 0.0.0.0
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de
    opendistro_security.audit.type: internal_elasticsearch
    opendistro_security.enable_snapshot_restore_privilege: true
    opendistro_security.check_snapshot_restore_write_privileges: true
    opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
    opendistro_security.system_indices.enabled: true
    opendistro_security.system_indices.indices: [".opendistro-alerting-config", “.opendistro-alerting-alert*”, “.opendistro-anomaly-results*”, “.opendistro-anomaly-detector*”, “.opendistro-anomaly-checkpoints”, “.opendistro-anomaly-detection-state”, “.opendistro-reports-", ".opendistro-notifications-”]
    cluster.routing.allocation.disk.threshold_enabled: false
    node.max_local_storage_nodes: 3

If you need any other config files, please let me know. The documentation around SSL to AD and how to create a truststore is very vague and incomplete in my opinion. Any help would be much appreciated.

Regards
Darrell

Just as an update, my kibana config has environment overides and is pointing to the es-client service as its source of info:

Hi,
I seem to have fixed this to a certain degree. Login is now possible. I created a file called “create_truststore.sh” and mounted this file as config/create_truststore.sh

mountPath: /usr/share/elasticsearch/config/create_truststore.sh
name: create-truststore
subPath: create_truststore.sh

I then added a lifecycle update on podstart as follows:
lifecycle:
postStart:
exec:
command: ["/usr/bin/bash", “-c”, “/usr/share/elasticsearch/config/create_truststore.sh”]

and mounted a configmap: (with permissions)
name: create-truststore
configMap:
name: create-truststore
defaultMode: 0777

The truststore.sh file in the configmap is as follows:
data:
create_truststore.sh: |-
/usr/bin/yum install openssl -y

cd /usr/share/elasticsearch/config

openssl s_client -connect ldap.example.com:636 < /dev/null |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/share/elasticsearch/config/ldap.example.com.crt

/opt/jdk/bin/keytool -genkey -alias truststore -keyalg RSA -keystore /usr/share/elasticsearch/config/truststore.jks -dname "CN=Mark Smith, OU=JavaSoft, O=Sun, L=Cupertino, S=California, C=US" -storepass changeit -keypass changeit -validity 10000

/opt/jdk/bin/keytool -import -file /usr/share/elasticsearch/config/ldap.example.com.crt -alias myldap -keystore truststore.jks -storepass changeit -noprompt

This has fixed it and upon pod restart this will apply the truststore

I hope this helps anyone else that may experience a similar issue.

Regards