Where to place LDAP pem files?

• Search Guard 6.4.0-32.0 and Elasticsearch Version: 6.4.0

• Installed and used enterprise modules, LDAP authentication backend, LDAP authorization backend

• Used Online TLS certificate generator

I have ElasticSearch & Search Guard working, with LDAP authentication & authorization, but for port 389 only.

When I try to enable port 636 I get the following error: “Empty file path for searchguard.ssl.transport.truststore_filepath”

I have a public pem certificate & intermediate to use, but am unsure of where to include them in Search Guard.

Currently my certificate configuration is this:

searchguard.ssl.transport.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem

searchguard.ssl.transport.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: searchguard/chain-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem

searchguard.ssl.http.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem

searchguard.ssl.http.pemtrustedcas_filepath: searchguard/chain-ca.pem

Do I append the LDAP certificates to one of the existing pem files (searchguard/chain-ca.pem?) Or is there a directive I should be adding to my sg_config.yml file for certificates?

Thanks!

Please post your sg_config.yml

Please post your sg_config.yml

• Search Guard 6.4.0-32.0 and Elasticsearch Version: 6.4.0

• Installed and used enterprise modules, LDAP authentication backend, LDAP authorization backend

• Used Online TLS certificate generator

I have ElasticSearch & Search Guard working, with LDAP authentication & authorization, but for port 389 only.

When I try to enable port 636 I get the following error: “Empty file path for searchguard.ssl.transport.truststore_filepath”

I have a public pem certificate & intermediate to use, but am unsure of where to include them in Search Guard.

Currently my certificate configuration is this:

searchguard.ssl.transport.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem

searchguard.ssl.transport.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: searchguard/chain-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: searchguard/CN=o-siem01-ptp.domain.org.crtfull.pem

searchguard.ssl.http.pemkey_filepath: searchguard/CN=o-siem01-ptp.domain.org.key.pem

searchguard.ssl.http.pemtrustedcas_filepath: searchguard/chain-ca.pem

Do I append the LDAP certificates to one of the existing pem files (searchguard/chain-ca.pem?) Or is there a directive I should be adding to my sg_config.yml file for certificates?

Thanks!

ldap:

http_enabled: true

transport_enabled: true

order: 5

http_authenticator:

type: “basic”

challenge: true

authentication_backend:

type: “ldap”

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

• “ldap.domain.org:389”

bind_dn: “CN=LDAPSync_Svc,OU=Service,OU=Users,DC=domain,DC=org”

password: “”

userbase: “CN=affiliated_person,dc=domain,dc=org”

usersearch: “(cn={0})”

username_attribute: “cn”

authz:

roles_from_myldap:

http_enabled: true

transport_enabled: true

authorization_backend:

type: “ldap”

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

• “ldap.domain.org:389”

bind_dn: “CN=LDAPSync_Svc,OU=Service,OU=Users,DC=domain,DC=org”

password: “”

rolebase: “DC=domain,DC=org”

rolesearch: “(member={0})”

userroleattribute: null

userrolename: “disabled”

rolename: “cn”

resolve_nested_roles: true

userbase: “CN=affiliated_person,dc=domain,dc=org”

usersearch: “(cn={0})”

username_attribute: “cn”

roles_from_another_ldap:

enabled: false

authorization_backend:

type: “ldap”

You have not enabled SSL for LDAP in sg_config.ymln so far:

enable_ssl: false

enable_start_tls: false

and port is still 389

Easiest way is to include the certificate(s) directly as text in sg_config.yml

You can also refer to a pem file in the config/ dir.

Do you need client authentication or is it just the CA?

Sorry, that was the working config (port 389). Here it is.

ldap:

http_enabled: true

transport_enabled: true

order: 5

http_authenticator:

type: “basic”

challenge: true

authentication_backend:

type: “ldap”

config:

enable_ssl: true

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

• “ldap.domain.org:636”

bind_dn: “CN=LDAPSync_Svc,OU=Service,OU=Users,DC=domain,DC=org”

password: “”

userbase: “CN=affiliated_person,dc=domain,dc=org”

usersearch: “(cn={0})”

username_attribute: “cn”

authz:

roles_from_myldap:

http_enabled: true

transport_enabled: true

authorization_backend:

type: “ldap”

config:

enable_ssl: true

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: false

hosts:

• “ldap.domain.org:636”

bind_dn: “CN=LDAPSync_Svc,OU=Service,OU=Users,DC=domain,DC=org”

password: “”

rolebase: “DC=domain,DC=org”

rolesearch: “(member={0})”

userroleattribute: null

userrolename: “disabled”

rolename: “cn”

resolve_nested_roles: true

userbase: “CN=affiliated_person,dc=domain,dc=org”

usersearch: “(cn={0})”

username_attribute: “cn”

roles_from_another_ldap:

enabled: false

authorization_backend:

type: “ldap”

This worked for me. Adjust the file path and name to the cert location and name and put the following in the config in both authc and authz. Same level as ‘hosts’.

pemtrustedcas_filepath: /etc/elasticsearch/root.pem

Thank you! That worked perfectly.

Peter