Skip to content

Prevent boot if bind DN is set without password#118366

Merged
elasticsearchmachine merged 15 commits intoelastic:mainfrom
n1v0lg:ldap-fail-bind-dn-without-password
Dec 18, 2024
Merged

Prevent boot if bind DN is set without password#118366
elasticsearchmachine merged 15 commits intoelastic:mainfrom
n1v0lg:ldap-fail-bind-dn-without-password

Conversation

@n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Dec 10, 2024
edited
Loading

LDAP/AD authentication realms can be configured to authenticate through LDAP via a bind user. For this it's necessary to set a bind DN (via bind_dn) together with a bind password (via bind_password or secure_bind_password). Setting a bind DN without a bind password will cause all LDAP/AD realm authentication to fail, leaving the node non-operational. This PR adds a bootstrap check to prevent a misconfigured node from starting. This behavior was deprecated in #85326.

Closes: ES-9749
@n1v0lg n1v0lg added >breaking :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v9.0.0 labels Dec 10, 2024
@n1v0lg n1v0lg self-assigned this Dec 10, 2024
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Dec 10, 2024

Hi @n1v0lg, I've created a changelog YAML for you. Note that since this PR is labelled >breaking, you need to update the changelog YAML to fill out the extended information sections.
@n1v0lg n1v0lg marked this pull request as ready for review December 16, 2024 10:55
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Dec 16, 2024
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Dec 16, 2024

Pinging @elastic/es-security (Team:Security)
@slobodanadamovic slobodanadamovic self-requested a review December 16, 2024 16:48
slobodanadamovic
slobodanadamovic approved these changes Dec 16, 2024
View reviewed changes
Copy link
Contributor

@slobodanadamovic slobodanadamovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

Left suggestions regarding changelog file, none of which should require another review.
docs/changelog/118366.yaml Outdated
impact: -|
If you have a bind DN configured for an LDAP or AD authentication
realm, set a bind password for
[LDAP](https://www.elastic.co/guide/en/elasticsearch/reference/current/ldap-realm.html#ldap-realm-configuration)
Copy link
Contributor

@slobodanadamovic slobodanadamovic Dec 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm not mistaken, instead of absolute URLs, I think we should make these links relative and leverage the {ref} variable. Meaning, we should replace them with:

  • {ref}/ldap-realm.html#ldap-realm-configuration[LDAP]
  • {ref}/active-directory-realm.html#ad-realm-configuration[Active Directory]
Copy link
Contributor Author

@n1v0lg n1v0lg Dec 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, if that works, absolutely -- changelogs are yaml as opposed to asciidoc though so I'm not positive the same rules apply. I asked in the ES docs channel -- lets see!
@n1v0lg n1v0lg added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label Dec 17, 2024
@elasticsearchmachine elasticsearchmachine merged commit 47d5e87 into elastic:main Dec 18, 2024
@n1v0lg n1v0lg deleted the ldap-fail-bind-dn-without-password branch December 18, 2024 12:18
rjernst pushed a commit to rjernst/elasticsearch that referenced this pull request Dec 18, 2024
@n1v0lg @rjernst
Prevent boot if bind DN is set without password (elastic#118366)
7873e26 
LDAP/AD authentication realms can be configured to authenticate through
LDAP via a bind user. For this it's necessary to set a bind DN (via
`bind_dn`) together with a bind password (via `bind_password` or
`secure_bind_password`). Setting a bind DN without a bind password will
cause all LDAP/AD realm authentication to fail, leaving the node
non-operational. This PR adds a bootstrap check to prevent a
misconfigured node from starting. This behavior was deprecated in
elastic#85326.

Closes: ES-9749
@leemthompo
Copy link
Contributor

leemthompo commented Apr 11, 2025

@n1v0lg is this PR relevant to the serverless changelog? [FYI this question is based on 9.0 breaking changes]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) >breaking :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team v9.0.0

4 participants

@n1v0lg @elasticsearchmachine @leemthompo @slobodanadamovic