Authc in AD domain "prod" and Authz in AD domain "dev"

Hi everyboy,

i want to Authc in a prod domain but Authz in another domain (there’s a “trust” between the domains)

Authc and Authz works flawlessly if i use the same domain for both config.

Does i have to use this

roles_from_another_ldap:
description: “Authorize via another Active Directory”

in place of

authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”

@LGR roles_from_myldap and roles_from_another_ldap are just lables.
You don’t need to configure a second authz domain.

If you configure two authz domains then the authorization process will be executed in the order they’re configured in the authz section. This is a logical OR operation, so the first hit will stop the process.
If the authz match will be found in the first domain then the second one won’t be checked.

@pablo

thanks for the reply.

i was meaning something like this :

authc:
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            hosts:
            - prod.com:389
            bind_dn: CN=someone,DC=prod,DC=com
            password: apassword
            userbase: 'ou=users,dc=prod,dc=com'
            usersearch: '(userPrincipalName={0})'
            username_attribute: userPrincipalName
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            hosts:
            - dev.com:389
            bind_dn: CN=someone,DC=dev,DC=com
            password: apassword
            rolebase: 'OU=Groups,DC=dev,DC=com'
            rolesearch: '(Member={0})'
            userroleattribute: null
            userrolename: disabled
            rolename: cn 
            resolve_nested_roles: true
            userbase: "ou=users,dc=prod,dc=com"
            usersearch: '(userPrincipalName={0})'
         

so it’ s supposed to work if the bind account in the authz section can access the the “prod” domain to “search” for the users

am i right?

already thanks for your time

@LGR That should work. Did you test that already?

working on it… i’ll let you known if it’s works

we have try several things but without success.

our last try was to use ‘ObjectSid’ because when you add a “trusted” user account this what will be used to determine against which domain the credential has to be checked.

authc:
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            hosts:
            - prod.com:389
            bind_dn: CN=someone,DC=prod,DC=com
            password: apassword
            userbase: 'ou=users,dc=prod,dc=com'
            usersearch: '(sAMAccountName={0})'
            username_attribute: sAMAccountName
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            hosts:
            - dev.com:389
            bind_dn: CN=someone,DC=dev,DC=com
            password: apassword
            rolebase: 'OU=Groups,DC=dev,DC=com'
            rolesearch: '(Member={2})'
            userroleattribute: ObjectSid
            userrolename: disabled
            rolename: cn 
            resolve_nested_roles: true
            userbase: "CN=ForeignSecurityPrincipals,DC=dev,DC=com"
            usersearch: '(ObjectSid={0})'

still no clue until now
[ERROR][o.o.s.a.BackendRegistry ] [hostname] Cannot retrieve roles for User [name=aUser@prod.com, backend_roles=, requestedTenant=null]
from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user ‘CN=aUser,DC=prod,DC=com’ found]];
nested: OpenSearchSecurityException[No user ‘CN=aUser,DC=prod,DC=com’ found];
org.opensearch.OpenSearchSecurityException: OpenSearchSecurityException[No user ‘CN=aUser,DC=prod,DC=com’ found] at com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend.fillRoles(LDAPAuthorizationBackend.java:945) ~[opensearch-security-1.3.2.0.jar:1.3.2.0]

i’ve to mention that we’re still running opensearch 1.3.2

regards

@LGR Have you tried to use the ldapsearch tool to verify the binding and search OU?

Does user “someone” directly under prod.dc?

yes about “someone” : i’ve a bind account for Prod and a bind account for Dev.
my perception is no matter what, opensearch is looking for the user DN in the domain mentioned in the authz.

i will do a few test with a ldapsearch tool alike

thanks for your time

edit : to be complete = > we have 1Forest/1domain trusting 1forest/1domain

  • external trust
  • domain-wide authentication

@LGR Have you tried to userrolename instead of rolesearch?

    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        authorization_backend:
          type: ldap
          config:
            hosts:
            - prod.com:389
            bind_dn: CN=someone,DC=prod,DC=com
            password: password

            userrolename: memberOf
            rolename: cn 
            resolve_nested_roles: true

            userbase: 'ou=users,dc=prod,dc=com'
            usersearch: '(sAMAccountName={0})'

I’ll try to test your approach with different ADs and configured trust.

i’ll try it (today probably) and let you know if it help or not.

regards

if authc appends in dc=prod,dc=com and authz appends in dc=dev,dc=com => it doesn’t work.

something with the trust. Maybe it’s simply not supported…

regards

FYI

I got the last week contact with AWS (Specialist Solutions Architect - Analytics
Amazon Web Services) about this. The question about “trust” and one AD to authenticate /another one to authorize will be asked to the security team.

Waiting news.

cya