From c4e013c99b371243c1b78caddae23ad84a3928f3 Mon Sep 17 00:00:00 2001 From: Chris White Date: Sat, 10 May 2025 14:01:16 -0700 Subject: [PATCH] Added documentation for secure LDAP settings See associated PR for implementation: https://github.com/opensearch-project/security/pull/5323 Signed-off-by: Chris White --- _security/authentication-backends/ldap.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/_security/authentication-backends/ldap.md b/_security/authentication-backends/ldap.md index e0636f293cb..1634a00befc 100755 --- a/_security/authentication-backends/ldap.md +++ b/_security/authentication-backends/ldap.md @@ -137,9 +137,16 @@ To configure the `bind_dn` and `password` that the Security plugin uses when iss ```yml config: bind_dn: cn=admin,dc=example,dc=com + # Deprecated - use password_secure in the keystore instead password: password ``` +For increased security, you should use the opensearch keystore and add a corresponding entry for your authn / authz setting via the `password_secure` property: + +```bash +./bin/opensearch-keystore add authc.ldap.authentication_backend.config.pasword_secure +``` + If your server supports anonymous authentication, both `bind_dn` and `password` can be set to `null`. @@ -211,6 +218,7 @@ If you use TLS client authentication, the Security plugin sends the PEM certific ```yml config: pemkey_filepath: /full/path/to/private.key.pem + # Deprecated - use pemkey_password_secure in the keystore instead pemkey_password: private_key_password pemcert_filepath: /full/path/to/certificate.pem ``` @@ -240,7 +248,8 @@ Name | Description :--- | :--- `pemkey_filepath` | Absolute path to the file containing the private key of your certificate. `pemkey_content` | The content of the private key of your certificate. Cannot be used when `pemkey_filepath` is set. -`pemkey_password` | The password of your private key, if any. +`pemkey_password` | The password of your private key, if any (**deprecated** - use `pemkey_password_secure` instead). +`pemkey_password_secure` | The password of your private key, if any (stored in the secure keystore). `pemcert_filepath` | Absolute path to the client certificate. `pemcert_content` | The content of the client certificate. Cannot be used when `pemcert_filepath` is set.