Truststore_filepath required for LDAP only?

sascha.herzinger · May 14, 2019, 12:48pm

Hello,

we had a working SearchGuard setup with basic auth. After adding LDAP to authc we suddenly got this error:

[2019-05-14T14:18:05,037][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] [1.2.3.4-node-1] Unable to connect to ldapserver ldap.foo.bar:636 due to ElasticsearchException[Empty file path for searchguard.ssl.transport.truststore_filepath]. Try next.

As you can see from the config below we’re not using truststores, but PEM certificates. Any idea why this happens only when we try to use LDAP?

elasticsearch.yml

[...]
searchguard.enterprise_modules_enabled: true
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.pemcert_filepath: ...
searchguard.ssl.transport.pemkey_filepath: ...
searchguard.ssl.transport.pemtrustedcas_filepath: ...
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: ...
searchguard.ssl.http.pemkey_filepath: ...
searchguard.ssl.http.pemtrustedcas_filepath: ...
searchguard.nodes_dn:
  - ...
searchguard.authcz.admin_dn:
  - ...
searchguard.restapi.roles_enabled:
  - sg_all_access

sg_config.yml:

    searchguard:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            remoteIpHeader: x-forwarded-for
            proxiesHeader: x-forwarded-by
        authc:
          kibana_auth_domain:
            enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
          ldap:
            enabled: true
            order: 2
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: ldap
              config:
                hosts:
                  - ...
                bind_dn: ...
                password: ...
                enable_ssl: true
                enable_start_tls: false
                enable_ssl_client_auth: false
                verify_hostnames: true
                userbase: ...
                usersearch: (uid={0})
                username_attribute: uid
        authz:

jkressin · May 14, 2019, 1:15pm

I think the error message is just plain wrong here. We’re refactoring the TLS settings at the moment, so they are consistent for all modules that use TLS.

In your case you should add the root CA PEM certificate that signed the LDAP certificate in the LDAP TLS config like:

          config:
            hosts:
              - ...
            bind_dn: ...
            password: ...
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: /path/to/trusted_ca(s).pem
            ...

Which might or might not be the same as your elasticsearch.yml:

searchguard.ssl.transport.pemtrustedcas_filepath

Sorry for the misleading error message.

sascha.herzinger · May 14, 2019, 1:27pm

Thanks a lot for the help!
That setting did “something”, but I can’t say if it’s better or worse. Apparently it still wants a keystore:

java.io.IOException: Invalid keystore format. Try next.

jkressin · May 14, 2019, 1:31pm

This is strange, maybe I am wrong regarding the version you are using. Is this SG5, SG6 or SG7?

sascha.herzinger · May 14, 2019, 1:32pm

This is the version that’s installed currently: com.floragunn:search-guard-6:6.7.1-24.3

Edit: Elastic runs on 6.7.1

jkressin · May 14, 2019, 1:49pm

Thanks. Can you please also add the complete stacktrace for this Exception?

sascha.herzinger · May 14, 2019, 1:52pm

Unfortunately there is no stacktrace. Just this one message. The logs above and below don’t seem to be related in any way.
I can send you the logs tomorrow via PM if you think there might be anything in it that helps.

[2019-05-14T15:25:55,624][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] [1.2.3.4-node-1] Unable to connect to ldapserver …:636 due to java.io.IOException: Invalid keystore format. Try next.

jkressin · May 14, 2019, 1:55pm

Yes, please, it always helps to get the complete picture. You can send a PM, if you feel more comfortable with PGP you can also use our public key for info@search-guard.com:

sascha.herzinger · May 15, 2019, 7:08am

Apologies, your suggestion to add pemtrustedcas_filepath as a config option does actually work. I copied something else without realising.

Thank you very much for your help!

jkressin · May 15, 2019, 10:42am

Glad it works, because I was a bit at a loss regarding the error message and the configuration

Topic		Replies	Views
Receiving error configuring LDAP Auth Search Guard	4	551	May 22, 2020
Empty file path for searchguard.ssl.transport.truststore_filepath Search Guard	24	3106	March 15, 2018
Where to place LDAP pem files? Search Guard	6	436	December 20, 2018
Nable to connect to ldapserver due to OpenSearchException[Empty file path for plugins.security.ssl.transport.truststore_filepath]. Try next Search Guard	2	540	April 28, 2023
Still unable to connect to ldap due to empty truststore filepath Search Guard	3	627	July 31, 2019

Truststore_filepath required for LDAP only?

Related topics