Need some configuration for the LDAP with the ODFE 7.10.2 version

HI ,

I have followed the below configurations for ldaps configuration with the ODFE 7.10.2,

1…In Configurations file nano /usr/share/elasticsearch/plugins/opendsitro_security/securityconfig/config.yml

  ldap:
    description: "Authenticate via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
      type: ldap
      config:
        # enable ldaps
        enable_ssl: false
        # enable start tls, enable_ssl should be false
        enable_start_tls: true
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: true
        hosts:
        - example.com:636
        bind_dn: cn=admin,dc=example,dc=com
        password: admin123
        userbase: 'ou=Peoples,dc=example,dc=com'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(cn={0})'
        # Use this attribute from the user as username (if not set then DN is used)
        username_attribute: cn
authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
      type: ldap
      config:
        # enable ldaps
        enable_ssl: false
        # enable start tls, enable_ssl should be false
        enable_start_tls: true
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: true
        hosts:
        - example.com:636
        bind_dn: cn=admin,dc=example,dc=com
        password: admin123
        rolebase: 'ou=Peoples,dc=example,dc=com'
        # Filter to search for roles (currently in the whole subtree beneath rolebase)
        # {0} is substituted with the DN of the user
        # {1} is substituted with the username
        # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
        rolesearch: '(member={0})'
        # Specify the name of the attribute which value should be substituted with {2} above
        userroleattribute: null
        # Roles as an attribute of the user entry
        userrolename: disabled
        #userrolename: memberOf
        # The attribute in a role entry containing the name of that role, Default is "name".
        # Can also be "dn" to use the full DN as rolename.
        rolename: cn
        # Resolve nested roles transitive (roles which are members of other roles and so on ...)
        resolve_nested_roles: true
        userbase: 'ou=Peoples,dc=example,dc=com'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(cn={0})'
        # Skip users matching a user name, a wildcard or a regex pattern
        #skip_users:
        #  - 'cn=Michael Jackson,ou*people,o=TEST'
        #  - '/\S*/'
  roles_from_another_ldap:
    description: "Authorize via another Active Directory"
    http_enabled: false
    transport_enabled: false
    authorization_backend:
      type: ldap
      #config goes here ...

2.But the after restart security admin.sh and elasticsearch service, with ldaps the connection is not establishing to the opendistro elastic kibana logins

Any configuration changes for this ldaps with elasticsearch configurations required???

Thanks,

Hi @wazuhsai

Checked your config and have some questions.

  1. “bind_dn: cn=admin,dc=example,dc=com” - Is your admin user located directly under example.com or is in Users container?

  2. userbase: ‘ou=Peoples,dc=example,dc=com’ - Do you have your users under this bind or maybe they’re in Users container?

  3. You’ve enabled StartTLS but you didn’t define trusted CA. Is your AD using a singed SSL certificate with the external well known CA or it is self-signed?

  4. Have you checked if ES node can resolve FQDN of DC server?

  5. Have you tried to disable TLS and test with unsecured connection first (AD port 389)?

HI the following are responses for as per questions mentioned,

1.Yes,admin user is presented directly under the dn.
2.I have created the users under the ou=Peoples,dc=example,dc=com with cn attribute
3.Yes i have enabled the start tls ,but in this point i dont have configuration info where to add the CA certficate of SSL to the elasticsearch configurations{My OpeLDAP is enabled
with the SSL Self signed certficate}
4.Yes the es node is workingFQDN of the openldap server,it was verfied
5.For this point it was working fine if we disable the tls and ssl configuration from config.yml and with port 389 worked.

Thanks,

@wazuhsai

I wasn’t aware that you use OpenLDAP. Have a look at this thread.

It was found that OpenLDAP fails to work with STARTTLS as for binding will use anonymous user and not bind_dn value.

The workaround there was to use either SSL or enable anonymous access in OpenLDAP and keep STARTTLS on. Unfortunately, the second workaround opens the door to OpenLDAP wide.

Also, in your config you’re pointing to port 636. STARTTLS is using port 389.

Hello Pablo,

I need some clear information about how the SSL certificate and connection is established to odfe node in config.yml with self signed ssl

Thanks,

Hello @wazuhsai

One of the below parameters is required in config.yml if your LDAP IdP (i.e. OpenLDAP, Active Directory) runs with self-signed certificates and either STARTTLS or SSL are in use.

The SSL certificate should be either certificate of the LDAP IdP or Root CA that was used to sign LDAP IdP cert.

pemtrustedcas_filepath: "<certificate_file>"

or

 pemtrustedcas_content: |-
    -----BEGIN CERTIFICATE-----
         MIICrjCCAjWgAwIBAgIUcun3KuyYiVryQCfOcWz7gNP0x/AwCgYIKoZIzj0EAwMw              
         gZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgTWV4aWNvMRQwEgYDVQQHEwtB
         .......................................................
    -----END CERTIFICATE-----

Please find example config below.

Thank you pablo ,i will try and check with above configurations

Hello Pablo

It’s. Worked with above configurations for LDAPS 636

Thanks a lot,