ElectricBrain | OpenSearch LDAP

OpenSearch LDAP

OpenSearch has a plugin that performs security functions. One the plugin's sections provides LDAP integration. This piece is about how to get that functioning and the steps taken at ElectricBrain to get it working.

One of the first things is to have an LDAP replica which can be setup to provide debug output. Head over to the LDAP page to see how that was done here. Armed with debug output it is possible to see what OpenSearch sends over as far as queries go.

Setting up logging to show progress though the security plugin didn't show anything of interest. This was essentially because so much stuff was coming out that unless you are familiar with the code it's very easy to become overwhelmed.

The solution here was to put the LDAP server in to debug mode and (after many hours of experimentation) it became clear that OpenSearch wasn't even attempting to send queries. This turned out to be a pivotal moment as it led to the discovery that fiddling with the security pluging's config.yml actually doesn't do anything until..... the securityadmin.sh program is run to update the running configuration.

Searching the web produces the Active Directory and LDAP page with a fine example, including working containers, of a complete setup. However this page fails to mention that nothing will happen if changes are made to the config.yml and they are not applied using securityadmin.sh. In fact there is a whole section, appropriately named Apply changes using securityadmin.sh, in the documentation which points this out. Doh!

The command used to load all settings was:

./securityadmin.sh -cd ../securityconfig/ -icl -nhnv \
  -cacert ../../../config/root-ca.pem \
  -cert ../../../config/kirk.pem \
  -key ../../../config/kirk-key.pem

The security plugin's config.yml needed a couple to additions to get the SSL encryption running to the LDAP server:

config:
  # enable ldaps
  enable_ssl: true
  pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca-localdomain.crt

Furthermore, don't forget to adjust the host URL to include :636 as opposed to :389 (the unencrypted default port - depending on the local setup).