search

opensearch-project / helm-charts

:wheel_of_dharma: A community repository for Helm Charts of OpenSearch Project.
https://opensearch.org/docs/latest/opensearch/install/helm/
Apache License 2.0
173 stars 234 forks source link

[BUG]Helm deploy ldap connect not working #406

Open benbenai7786 opened 1 year ago

benbenai7786 commented 1 year ago

Hi guys,

I am trying use ldap authc by helm deployment. Here is my helm version:

NAME                NAMESPACE   REVISION    UPDATED                                 STATUS      CHART                       APP VERSION
opensearch-ds1      opensearch  1           2023-03-17 11:35:19.70864169 +0800 CST  deployed    opensearch-dashboards-2.9.0 2.6.0
opensearch-test1    opensearch  28          2023-03-20 15:46:30.28341651 +0800 CST  deployed    opensearch-2.11.1           2.6.0

The first way I tried was add ldap config in values.yaml, like below:

securityConfig:
  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  actionGroupsSecret:
  configSecret: 
  internalUsersSecret:
  rolesSecret:
  rolesMappingSecret:
  tenantsSecret:
  # The following option simplifies securityConfig by using a single secret and
  # specifying the config files as keys in the secret instead of creating
  # different secrets for for each config file.
  # Note that this is an alternative to the individual secret configuration
  # above and shouldn't be used if the above secrets are used.
  config:
    # There are multiple ways to define the configuration here:
    # * If you define anything under data, the chart will automatically create
    #   a secret and mount it.
    # * If you define securityConfigSecret, the chart will assume this secret is
    #   created externally and mount it.
    # * It is an error to define both data and securityConfigSecret.
    securityConfigSecret: ""
    dataComplete: true
    data: 
      config.yml: |-
        _meta:
          type: "config"
          config_version: 2
        config:
          dynamic:
            http:
              anonymous_auth_enabled: false
            authc:
              ldap:
                http_enabled: true
                transport_enabled: true
                order: 1
                http_authenticator:
                  type: basic
                  challenge: true
                authentication_backend:
                  type: ldap
                  config:
                    enable_ssl: false
                    enable_start_tls: false
                    enable_ssl_client_auth: false
                    verify_hostnames: false
                    hosts:
                      ...

but not working

Then I tried use k8s secret mounted the config:

apiVersion: v1
kind: Secret
metadata:
  name: security-config-secret
  namespace: opensearch
type: Opaque
data:
  config.yml: $base64 content
securityConfig:
  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  actionGroupsSecret:
  configSecret: security-config-secret
  internalUsersSecret:
  rolesSecret:
  rolesMappingSecret:
  tenantsSecret:
  # The following option simplifies securityConfig by using a single secret and
  # specifying the config files as keys in the secret instead of creating
  # different secrets for for each config file.
  # Note that this is an alternative to the individual secret configuration
  # above and shouldn't be used if the above secrets are used.
  config:
    # There are multiple ways to define the configuration here:
    # * If you define anything under data, the chart will automatically create
    #   a secret and mount it.
    # * If you define securityConfigSecret, the chart will assume this secret is
    #   created externally and mount it.
    # * It is an error to define both data and securityConfigSecret.
    securityConfigSecret: ""
    dataComplete: true
    data: {}
#       config.yml: |-

still not working

There is no error in the opensearch cluster and I can also see the config in /usr/share/opensearch/config/opensearch-security, Is there anything I missed?

prudhvigodithi commented 1 year ago

[Traige] Hey @benbenai7786 I assume you followed the examples from https://github.com/opensearch-project/security/tree/main/config, @peternied can you please take a look and see what is the missing config to connect to LDAP? Thank you

peternied commented 1 year ago

@benbenai7786 For security configuration issues try searching for related issues in our forum or creating a new thread for support https://forum.opensearch.org/c/security/3