Truststore_filepath required for LDAP only?

#1

Hello,

we had a working SearchGuard setup with basic auth. After adding LDAP to authc we suddenly got this error:

[2019-05-14T14:18:05,037][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] [1.2.3.4-node-1] Unable to connect to ldapserver ldap.foo.bar:636 due to ElasticsearchException[Empty file path for searchguard.ssl.transport.truststore_filepath]. Try next.

As you can see from the config below we’re not using truststores, but PEM certificates. Any idea why this happens only when we try to use LDAP?

elasticsearch.yml

[...]
searchguard.enterprise_modules_enabled: true
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.pemcert_filepath: ...
searchguard.ssl.transport.pemkey_filepath: ...
searchguard.ssl.transport.pemtrustedcas_filepath: ...
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: ...
searchguard.ssl.http.pemkey_filepath: ...
searchguard.ssl.http.pemtrustedcas_filepath: ...
searchguard.nodes_dn:
  - ...
searchguard.authcz.admin_dn:
  - ...
searchguard.restapi.roles_enabled:
  - sg_all_access

sg_config.yml:

    searchguard:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            remoteIpHeader: x-forwarded-for
            proxiesHeader: x-forwarded-by
        authc:
          kibana_auth_domain:
            enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
          ldap:
            enabled: true
            order: 2
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: ldap
              config:
                hosts:
                  - ...
                bind_dn: ...
                password: ...
                enable_ssl: true
                enable_start_tls: false
                enable_ssl_client_auth: false
                verify_hostnames: true
                userbase: ...
                usersearch: (uid={0})
                username_attribute: uid
        authz:
#2

I think the error message is just plain wrong here. We’re refactoring the TLS settings at the moment, so they are consistent for all modules that use TLS.

In your case you should add the root CA PEM certificate that signed the LDAP certificate in the LDAP TLS config like:

          config:
            hosts:
              - ...
            bind_dn: ...
            password: ...
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: /path/to/trusted_ca(s).pem
            ...

Which might or might not be the same as your elasticsearch.yml:

searchguard.ssl.transport.pemtrustedcas_filepath

Sorry for the misleading error message.

assigned jkressin #3
#4

Thanks a lot for the help!
That setting did “something”, but I can’t say if it’s better or worse. Apparently it still wants a keystore:

java.io.IOException: Invalid keystore format. Try next.

#5

This is strange, maybe I am wrong regarding the version you are using. Is this SG5, SG6 or SG7?

#6

This is the version that’s installed currently: com.floragunn:search-guard-6:6.7.1-24.3

Edit: Elastic runs on 6.7.1

#7

Thanks. Can you please also add the complete stacktrace for this Exception?

#8

Unfortunately there is no stacktrace. Just this one message. The logs above and below don’t seem to be related in any way.
I can send you the logs tomorrow via PM if you think there might be anything in it that helps.

[2019-05-14T15:25:55,624][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] [1.2.3.4-node-1] Unable to connect to ldapserver …:636 due to java.io.IOException: Invalid keystore format. Try next.

#9

Yes, please, it always helps to get the complete picture. You can send a PM, if you feel more comfortable with PGP you can also use our public key for info@search-guard.com:

https://search-guard.com/security/

#10

Apologies, your suggestion to add pemtrustedcas_filepath as a config option does actually work. I copied something else without realising.

Thank you very much for your help!

#11

Glad it works, because I was a bit at a loss regarding the error message and the configuration :wink:

closed #12