Need configuration mechanism for the Opendistro elasticsearch configuration for LDAP/AD authentication with out providing bind dn user in the /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml file

Hello ,

I need some information on the configurations file changes for the opendistro to connect with the LDAP/AD without providing the bind user and password in below mentioned path

nano /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml

In the above mentioned path actually we will provide the dn name and dn login info ,groups to access for the role base,here we are providing the authentication of bind user login and password ,so the requirement is to connect to the AD/LDAP users without giving the bind user credentials in above mentioned file path.

Any quick suggesstion/answers is helpful.

Thanks,

[Moved to the security category since LDAP is managed by that plugin]

Hello @wazuhsai

What version of ODFE are you running? What is your AD solution?

ODFE is 7.10.2 version and security plugin version is 1.13.2

Active directory version is Windows server 2012 R2 standard evaluation

Requirement : LDAP configuration for opendistro that should with out providing the bind user login credential with in the config.yml file as mentioned above configuration.

@wazuhsai

Thanks for the details.

The LDAP authentication requires bind dn. However, you could enable Anonymous with read privileges to your users OU. Then in config.yml both bind_dn and password have to be set to null.

Thanks for the quick response, can you please provide some code snippet or configuration how can we add the anonymous user of ldap in the elasticsearch configuration file with config.yml

@wazuhsai

As per mentioned documentation, you have to set both bind_dn and password to null in config.yml.

  ldap:
    description: "Authenticate via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    order: 5
    http_authenticator:
      type: "basic"
      challenge: true
    authentication_backend:
      type: "ldap"
      config:
        enable_ssl: false
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
        - "<AD_server_FQDN_or_IP>:386"
        bind_dn: null
        password: null
        userbase: "cn=users,dc=example,dc=org"
        usersearch: "(sAMAccountName={0})"
        username_attribute: "cn"

No need to change anything in elasticsearch.yml

Before you apply this configuration to the set, you’ll need to enable the Anonymous user at target OU.