Oracle Cloud Infrastructure Documentation

LDAP Authentication in Search with OpenSearch

Learn how to use an LDAP provider with OCI Search with OpenSearch.

You can use an Lightweight Directory Access Protocol (LDAP) identity provider to authenticate and authorize users for controlling access to OpenSearch clusters and OpenSearch Dashboards. Search with OpenSearch supports LDAP v1 and LDAP v2.

Prerequisites

  • An LDAP provider.
  • An existing OpenSearch cluster. If the cluster was created using the CLI or API, you must also enable role-based access control for the cluster, with the security mode set to enforcing.
  • The subnet where the cluster is located is configured with an egress rule to allow network traffic to the subnet where the LDAP server is located.
  • The password for the Security plugin stored as a Vault secret, for more information, see Managing Vaults and Managing Secrets. You need to configure a policy to allow the OpenSearch cluster to access the Vault secret where the password is stored, as shown in the following policy example:
    ALLOW ANY-USER TO use secret-family IN TENANCY WHERE ALL
 {request.principal.type='opensearchcluster', request.resource.compartment.id = '<customer_cluster_compartment_id>', target.secret.id = '<target-secret-ocid>'}

Getting the Nat IP Address for the LDAP Server

To configure the LDAP provider for the cluster, you need the Nat IP address for the cluster to use to connect to the LDAP server. To get this address, you need to add an external endpoint to the cluster. You specify the IP address for the LDAP server when you add this connection, and Search with OpenSearch returns the Nat IP.

  1. Open the navigation menu and click Databases. Under OpenSearch, click Clusters.

  2. In the Clusters list, click the name of the cluster you want to configure LDAP for.
  3. On the cluster details page, click More actions, and then select Add external endpoints.
  4. Enter the IP address for the LDAP server and click Submit.
  5. In the Resources section, click External endpoints.
  6. Copy the value in the Nat IP column for the external endpoint you added. This is the address you specify in the hosts attribute of the LDAP provider configuration for the cluster.

Configure the LDAP Provider

Use the OpenSearch Security plugin's Configuration API to configure the LDAP provider. See Connection settings for the LDAP configuration format.

Specify the Nat IP address copied in the previous section for the hosts attribute in the configuration.

The following example updates the configuration to support LDAP: 

PUT {<cluster_endpoint>}/_plugins/_security/api/securityconfig/config
{
  "dynamic": {
    "security_mode": "ENFORCING",
    "http": {
      "anonymous_auth_enabled": false,
      "xff": {
        "enabled": false
      }
    },
    "authc": {
      "basic_internal_auth_domain": {
        "description": "Authenticate via HTTP Basic against internal users database",
        "http_enabled": true,
        "transport_enabled": true,
        "order": 1,
        "http_authenticator": {
          "type": "basic",
          "challenge": true
        },
        "authentication_backend": {
          "type": "intern"
        }
      },
      "openid_auth_domain": {
        "description": "Authenticate using OpenId connect",
        "http_enabled": true,
        "transport_enabled": true,
        "order": 0,
        "http_authenticator": {
          "type": "openid",
          "challenge": false,
          "config": {
            "subject_key": "sub",
            "roles_key": "userAppRoles",
            "openid_connect_url": "<openid_url>"
          }
        },
        "authentication_backend": {
          "type": "noop"
        }
      },          
      "ldap_auth_domain": {
        "order": 1,
        "description": "LDAP provider",
        "http_enabled": true,
        "transport_enabled": true,
        "http_authenticator": {
            "type": "basic",
            "challenge": true
        },
        "authentication_backend": {
            "type": "ldap",
            "config": {
                "hosts": ["<NAT_IPs>:389"],
                "bind_dn": "cn=admin,dc=example,dc=org",
                "passwordSercetLocation": {
                  secreteOcid: "ocid1.secret.oc1.iad.<unique_ID>",
                  secretVersion: <secret_version>
                },
                "usersearch": "(uid={0})",
                "userbase": "ou=people,dc=example,dc=org",
                "username_attribute": "uid",
                "rolebase": "ou=groups,dc=example,dc=org",
                "rolesearch": "(memberUid={1})",
                "rolename": "cn"
            }
        }
      }
    },
    "authz": {
        "ldap": {
            "http_enabled": true,
            "transport_enabled": true,
            "authorization_backend": {
                "type": "ldap",
                "config": {
                    "hosts": ["<NAT_IPs>:389"],
                    "bind_dn": "cn=admin,dc=example,dc=org",
                    "passwordSercetLocation": {
                      secreteOcid: "ocid1.secret.oc1.iad.<unique_ID>",
                      secretVersion: <secret_version>
                    },
                    "usersearch": "(uid={0})",
                    "userbase": "ou=people,dc=example,dc=org",
                    "username_attribute": "uid",
                    "rolebase": "ou=groups,dc=example,dc=org",
                    "rolesearch": "(memberUid={1})",
                    "rolename": "cn"
                }
            }
        }
    }
  }
}