AD ldap authz : nested AD group supported?

LGR · December 8, 2022, 3:33pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 1.3.2
Dashboard 1.3.2
Linux RH8
Browser: chrome or edge

Describe the issue:
i can authenticate but i cannot be mapped to my role if my account is not directly a member of the AD mapped group (backend) => means if my account is linked to the AD mapped group via a subgroup

account “pipo”
direct member of : opensearch-admin-group => works

account “pipo”
member of random-subgroup which is a member of opensearch-admin-group => don’t work

Configuration:
authz
“rolebase” : “ou=xxx,dc=yyy,dc=zz”,
“rolesearch” : “(Member={0})”,
“userrolename” : “disabled”,
“rolename” : “cn”,
“resolve_nested_roles” : true,
“userbase” : “ou=xx,dc=yy,dc=zz”,
“usersearch” : “(sAMAccountName={0})”

Relevant Logs or Screenshots:

Am i missing something in the config or it’s just not supported yet?

Regards

pablo · December 8, 2022, 4:13pm

@LGR Just to clarify.
The acount name is “pipo”.

Scenario 1
Account is mapped to “opensearch-admin-group”
The group DN is: “cn=opensearch-admin-group,ou=xxx,dc=yyy,dc=zz”

Scenario 2
Account is mapped to “random-subgroup”
The group DN is “cn=random-subgroup,cn=opensearch-admin-group,ou=xxx,dc=yyy,dc=zz”

rolebase: “ou=xxx,dc=yyy,dc=zz”

Do you state that in Scenario 2 role mapping doesn’t work?

LGR · December 13, 2022, 6:04am

Hi Pablo,
i will clarify.

opensearch “admin” role mapped to backen AD group “opensearch-admin-group”

structure of the AD group

opensearch-admin-group

user X

user y

random-subgroup

so
if “pipo” is like “user x” or “user y”, a direct member of the AD group “opensearch-admin-group”, the authz (the mapping) will works.
if “pipo” is not a direct member but should be member because he’s a member of the “random-subgroup”, it doesn’t works.

opensearch-admin-group DN is “cn=opensearch-admin-group,ou=big-groups,ou=xxx,dc=yyy,dc=zz”

random-subgroup DN is “cn=random-subgroup,ou=nested-groups,ou=xxx,dc=yyy,dc=zz”

the “rolebase” is “ou=xxx,dc=yyy,dc=zz”

Regards

pablo · December 13, 2022, 11:34am

@LGR Could you share your config.yml?

LGR · December 13, 2022, 1:34pm

@pablo as requested

{
“config” : {
“dynamic” : {
“filtered_alias_mode” : “warn”,
“disable_rest_auth” : false,
“disable_intertransport_auth” : false,
“respect_request_indices_options” : false,
“kibana” : {
“multitenancy_enabled” : true,
“server_username” : “kibanaserver”,
“index” : “.kibana”
},
“http” : {
“anonymous_auth_enabled” : false,
“xff” : {
“enabled” : false,
“internalProxies” : “”“192.168.0.10|192.168.0.11"”",
“remoteIpHeader” : “X-Forwarded-For”
}
},
“authc” : {
“jwt_auth_domain” : {
“http_enabled” : false,
“transport_enabled” : false,
“order” : 0,
“http_authenticator” : {
“challenge” : false,
“type” : “jwt”,
“config” : {
“signing_key” : “base64 encoded HMAC key or public RSA/ECDSA pem key”,
“jwt_header” : “Authorization”
}
},
“authentication_backend” : {
“type” : “noop”,
“config” : { }
},
“description” : “Authenticate via Json Web Token”
},
“ldap” : {
“http_enabled” : true,
“transport_enabled” : true,
“order” : 1,
“http_authenticator” : {
“challenge” : false,
“type” : “basic”,
“config” : { }
},
“authentication_backend” : {
“type” : “ldap”,
“config” : {
“enable_ssl” : false,
“enable_start_tls” : false,
“enable_ssl_client_auth” : false,
“verify_hostnames” : true,
“hosts” : [
“domaincontroler.yyy.zz:389”
],
“bind_dn” : “CN=user2bind,OU=Generic,OU=Accounts,OU=CM-MC,OU=xxx,DC=yyy,DC=zz”,
“password” : “password2bind”,
“userbase” : “ou=xxx,dc=yyy,dc=zz”,
“usersearch” : “(sAMAccountName={0})”,
“username_attribute” : “sAMAccountName”
}
},
“description” : “Authenticate via LDAP or Active Directory”
},
“basic_internal_auth_domain” : {
“http_enabled” : true,
“transport_enabled” : true,
“order” : 4,
“http_authenticator” : {
“challenge” : true,
“type” : “basic”,
“config” : { }
},
“authentication_backend” : {
“type” : “intern”,
“config” : { }
},
“description” : “Authenticate via HTTP Basic against internal users database”
},
“proxy_auth_domain” : {
“http_enabled” : false,
“transport_enabled” : false,
“order” : 3,
“http_authenticator” : {
“challenge” : false,
“type” : “proxy”,
“config” : {
“user_header” : “x-proxy-user”,
“roles_header” : “x-proxy-roles”
}
},
“authentication_backend” : {
“type” : “noop”,
“config” : { }
},
“description” : “Authenticate via proxy”
},
“clientcert_auth_domain” : {
“http_enabled” : false,
“transport_enabled” : false,
“order” : 2,
“http_authenticator” : {
“challenge” : false,
“type” : “clientcert”,
“config” : {
“username_attribute” : “cn”
}
},
“authentication_backend” : {
“type” : “noop”,
“config” : { }
},
“description” : “Authenticate via SSL client certificates”
},
“kerberos_auth_domain” : {
“http_enabled” : true,
“transport_enabled” : true,
“order” : 6,
“http_authenticator” : {
“challenge” : true,
“type” : “kerberos”,
“config” : {
“krb_debug” : false,
“strip_realm_from_principal” : true
}
},
“authentication_backend” : {
“type” : “noop”,
“config” : { }
}
}
},
“authz” : {
“roles_from_another_ldap” : {
“http_enabled” : false,
“transport_enabled” : false,
“authorization_backend” : {
“type” : “ldap”,
“config” : { }
},
“description” : “Authorize via another Active Directory”
},
“roles_from_myldap” : {
“http_enabled” : true,
“transport_enabled” : true,
“authorization_backend” : {
“type” : “ldap”,
“config” : {
“enable_ssl” : false,
“enable_start_tls” : false,
“enable_ssl_client_auth” : false,
“verify_hostnames” : true,
“hosts” : [
“domaincontroler.yyy.zz:389”
],
“bind_dn” : “CN=user2bind,OU=Generic,OU=Accounts,OU=CM-MC,OU=xxx,DC=yyy,DC=zz”,
“password” : “password2bind”,
“rolebase” : “ou=xxx,dc=yyy,dc=zz”,
“rolesearch” : “(Member={0})”,
“userrolename” : “disabled”,
“rolename” : “cn”,
“resolve_nested_roles” : true,
“userbase” : “ou=xxx,dc=yyy,dc=zz”,
“usersearch” : “(sAMAccountName={0})”
}
},
“description” : “Authorize via LDAP or Active Directory”
}
},
“auth_failure_listeners” : { },
“do_not_fail_on_forbidden” : false,
“multi_rolespan_enabled” : true,
“hosts_resolver_mode” : “ip-only”,
“do_not_fail_on_forbidden_empty” : false
}
}
}

pablo · December 13, 2022, 2:59pm

@LGR How do you map the backend role in roles_mappings.yaml? Did you use opensearch-admin-group or random-subgroup?

Could you share roles_mapping.yml file?

pablo · December 13, 2022, 3:53pm

@LGR Take a look at my repro.

These are two OUs as per your description.

My rolebase is set to:

rolebase: "OU=OUTest,dc=pablo,dc=local"

big-groups OU contains:

and nested-groups OU

When I log in with userx user to OpenSearch Dashboards I get the following mapping.

When I log in with pipo user I get:

I mapped opensearch-admin-group as backend role to all_access

Please let me know if this repro corresponds with your scenario.

LGR · December 13, 2022, 4:39pm

opensearch-admin-group

LGR · December 13, 2022, 4:57pm

more something like

in the OU Nested-groups we have a Random-group containing “pipo”

and in the Big-groups OU we have

The rolebase, userbase are set to OUTest.
The AD users are not to be found in the same OU as the groups but they are in OU’s located underneath OUTest

the rolesmapping :

"all_access" : {
    "hosts" : [ ],
    "users" : [ ],
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "admin"
    ],
    "and_backend_roles" : [
      "RCWR_AWSOpenSearch_Admin"
    ],
    "description" : "Maps admin to all_access"
  },

already thanks for your support

pablo · December 13, 2022, 6:51pm

@LGR I’ve recreated your groups and I got the same issue when I started testing. However, when you use LDAP authentication and you make frequent changes in groups, you need to clear the cache of the security plugin to see the effects instantly.

or you can use an API call

This cache is cleared automatically every 15 minutes, but you can do it on demand. Once I’ve cleared the cache both groups appeared under Backend roles.

LGR · December 14, 2022, 10:03am

Thanks for the answer.
I wasn’t aware of the “purge cache” button.

But unfortunately, it doesn’t help in my case.
what kind of groups in AD are you using? I mean the Group scope (Group type should be “Security”)

regards

pablo · December 14, 2022, 11:57am

@LGR As per my prevoius screenshots I use Security Group with Global scope.

I’ve just reproduced yoru issues. My pipo user had another group assigned Domain Users.
After pipo user creation the assigned group and Primary Group was Domain Users.

After adding random-subgroup the Primary Group remained Domain Users.

The security plugin could see random-subgroup and opensearch-admin-group assigned.

However, once I set the random-subgroup as Primary Group

I’ve got the following output in the OpenSearch Dashboards.

LGR · December 14, 2022, 2:49pm

Hi pablo,

tks for your support.
it points me in the right direction.

on the “test” deployment, the nested_role_filter" : “*” was defined => indeed cannot works

on the production one, the “rolebase” was set too low in the AD tree so groups outside of this were not taken into account.

Thanks for your time

Solved => to remember : pay attention to the ldap query limit set with the “rolebase”. sub-groups outside this limit will not be taken into account

Topic		Replies	Views
Mapping AD groups, contains other groups, to roles OpenSearch configure	0	270	February 25, 2023
LDAP - Hide unmapped backend roles Security	7	489	November 25, 2023
LDAP backend roles (Authz) not working Security troubleshoot	10	537	April 18, 2023
LDAP "User Authenticated" but no OpenDashboards acess Security	3	280	September 21, 2022
Debugging LDAP authorization configuration Security	12	438	December 13, 2023

AD ldap authz : nested AD group supported?

Related Topics