LDAP for OpenDistro ES NOT WORKING!

I have been through a lot of documents to have LDAP auth for open distro but I can not get my LDAP auth working. Can someone please give step by step process of how can I make LDAP work with open distro.

Yes I have tried Amazon’s https://aws.amazon.com/blogs/opensource/ldap-integration-for-open-distro-for-elasticsearch/ but it lacks a lot of information and not been useful for me.

Can anyone please explain step by step how can I set everything?

Thank you in advance.

hi, in my case it works only, when i specify full name of service user.
bind_dn: cn=firstname lastname,ou=country,dc=domain,dc=com

Is there anything else I need to set? Because I am getting error “Authentication finally failed for user x”. Looks like it’s not connecting to my LDAP at all. Is there any test that I can perform in order to at least see if my LDAP connection works?

first of all, check network access between your server and LDAP (389 port as default). Then lookup in Kibana logs for detailed LDAP error. Also, there is utility in Linux named ldapwhoami, if you pass the correct parameters like bind dn\password, server/port you can check a ldap connection and basic search for this DN. Then you can use utility ldapsearch to actually search user. If its works fine, then Kibana LDAP should also work fine.
Consult your admins for correct LDAP Directory search and param for user login (e.g. sAMAccountName).

Based on my experience, LDAP Auth works fine. Also, can you post some logs with errors and config (without passwords)?

Hi Thanks for the response. Can you please give me the example how can I check LDAP connection from command line?

I found that if set enabled: true in 1.0 it will not work at all!, In previous version I used it in my configuration, but in 1.0 I comment it, and then it start working.

      ldap:
          description: "Authenticate via LDAP or Active Directory" 
 #        enabled: true
        order: 2
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - 192.168.0.1:389
            bind_dn: cn=user,ou=country,dc=domain,dc=com
            password: pass
            userbase: 'dc=domain,dc=com'
            usersearch: '(sAMAccountName={0})'
            username_attribute: cn

it’s the same error im getting D:
could you solve it?

I had the same problem and i solved it by changing my config.yml this way:

authc:
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
order: 1

Were you able to get SSL working with LDAP ?

This question was not about SSL over LDAP, but I have gotten LDAP-S working for authentication and authorization. I am still working on access to kibana with an LDAP user, but I may be able to help. If you haven’t yet, you may want to post a question specifically about LDAP-S if that’s what you need help with.

Hey, sorry for hijacking the thread earlier. Yes, I have got it working now. Thanks anyways. Cheers.

@kiowajoe I’m having trouble configuring ldaps. Could you please help me?Thanks Configuration for LDAPS

Hi,
Is your LDAP with opendistro is working fine now??

Hello, I have configured LDAP with opendistro. meanwhile i ran the ldapsearch command, it could be authenticate with user password. but I am running this commmand “curl -XGET “http://127.0.0.1:9200/_search” -H ‘Content-Type: application/json’ -d’
{
“query”: {
“match_all”: {}
}
}’ -u esuser1 --insecure”
it is showing me to unathorized. below is my cofig.yml file

authc:
ldap:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- 10.0.1.103:389
bind_dn: cn=esuser1 rp,OU=test,dc=testad,dc=com
password: test@321!
userbase: ‘OU=test,dc=testad,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: uid

authz:
roles_from_myldap:
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- 10.0.1.103:389
bind_dn: cn=esuser1 rp,OU=test,dc=testad,dc=com
password: test@321!
rolebase: ‘ou=groups,dc=testad,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
#userrolename: disabled
userrolename: ‘memberOf’
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘OU=test,dc=testad,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’

Here is my elasticsearch log.

Unable to connect to ldapserver testad.com:389 due to [org.ldaptive.LdapException@1472499645::resultCode=INVALID_CREDENTIALS, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839], providerException=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]]. Try next.
[2019-12-17T10:58:33,988][WARN ][c.a.o.s.a.BackendRegistry] [ZaCBDvI] Authentication finally failed for esuser1 from 127.0.0.1:51872
[2019-12-17T10:58:33,998][INFO ][o.e.c.m.MetaDataMappingService] [ZaCBDvI] [security-auditlog-2019.12.17/6jKV-ZPFSTKj1Xo5gxBggQ] update_mapping [auditlog]

Need some help.

Did anyone get normal Ldap to work with SSL configured in ES ?

Hey, @shaggy, did you fix this error ? Right now I can’t authenticate myself against my LDAP server.

@macyselk Yes i am able to authenticate LDAP for ES. I have follow this docs. follow below links.

This is ldap check authentication command:

ldapsearch -H "ldap://test.example.com:389" -D "cn=firstname lastname,ou=users,dc=starwars,dc=com" -W -b "ou=users,dc=starwars,dc=com" 
~~~>  https://aws.amazon.com/blogs/opensource/ldap-integration-for-open-distro-for-elasticsearch/
~~~> https://stackoverflow.com/questions/55464630/search-guard-ldap-authentication-authentication-finally-failed-for-user-elas