Hi everyboy,
i want to Authc in a prod domain but Authz in another domain (there’s a “trust” between the domains)
Authc and Authz works flawlessly if i use the same domain for both config.
Does i have to use this
roles_from_another_ldap:
description: “Authorize via another Active Directory”
in place of
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
@LGR roles_from_myldap and roles_from_another_ldap are just lables.
You don’t need to configure a second authz domain.
If you configure two authz domains then the authorization process will be executed in the order they’re configured in the authz section. This is a logical OR operation, so the first hit will stop the process.
If the authz match will be found in the first domain then the second one won’t be checked.
thanks for the reply.
i was meaning something like this :
authc:
ldap:
description: "Authenticate via LDAP or Active Directory"
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
hosts:
- prod.com:389
bind_dn: CN=someone,DC=prod,DC=com
password: apassword
userbase: 'ou=users,dc=prod,dc=com'
usersearch: '(userPrincipalName={0})'
username_attribute: userPrincipalName
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
hosts:
- dev.com:389
bind_dn: CN=someone,DC=dev,DC=com
password: apassword
rolebase: 'OU=Groups,DC=dev,DC=com'
rolesearch: '(Member={0})'
userroleattribute: null
userrolename: disabled
rolename: cn
resolve_nested_roles: true
userbase: "ou=users,dc=prod,dc=com"
usersearch: '(userPrincipalName={0})'
so it’ s supposed to work if the bind account in the authz section can access the the “prod” domain to “search” for the users
am i right?
already thanks for your time
@LGR That should work. Did you test that already?
working on it… i’ll let you known if it’s works
we have try several things but without success.
our last try was to use ‘ObjectSid’ because when you add a “trusted” user account this what will be used to determine against which domain the credential has to be checked.
authc:
ldap:
description: "Authenticate via LDAP or Active Directory"
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
hosts:
- prod.com:389
bind_dn: CN=someone,DC=prod,DC=com
password: apassword
userbase: 'ou=users,dc=prod,dc=com'
usersearch: '(sAMAccountName={0})'
username_attribute: sAMAccountName
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
hosts:
- dev.com:389
bind_dn: CN=someone,DC=dev,DC=com
password: apassword
rolebase: 'OU=Groups,DC=dev,DC=com'
rolesearch: '(Member={2})'
userroleattribute: ObjectSid
userrolename: disabled
rolename: cn
resolve_nested_roles: true
userbase: "CN=ForeignSecurityPrincipals,DC=dev,DC=com"
usersearch: '(ObjectSid={0})'
still no clue until now
[ERROR][o.o.s.a.BackendRegistry ] [hostname] Cannot retrieve roles for User [name=aUser@prod.com, backend_roles=, requestedTenant=null]
from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user ‘CN=aUser,DC=prod,DC=com’ found]];
nested: OpenSearchSecurityException[No user ‘CN=aUser,DC=prod,DC=com’ found];
org.opensearch.OpenSearchSecurityException: OpenSearchSecurityException[No user ‘CN=aUser,DC=prod,DC=com’ found] at com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend.fillRoles(LDAPAuthorizationBackend.java:945) ~[opensearch-security-1.3.2.0.jar:1.3.2.0]
i’ve to mention that we’re still running opensearch 1.3.2
regards
@LGR Have you tried to use the ldapsearch tool to verify the binding and search OU?
Does user “someone” directly under prod.dc?
yes about “someone” : i’ve a bind account for Prod and a bind account for Dev.
my perception is no matter what, opensearch is looking for the user DN in the domain mentioned in the authz.
i will do a few test with a ldapsearch tool alike
thanks for your time
edit : to be complete = > we have 1Forest/1domain trusting 1forest/1domain
@LGR Have you tried to userrolename instead of rolesearch?
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
authorization_backend:
type: ldap
config:
hosts:
- prod.com:389
bind_dn: CN=someone,DC=prod,DC=com
password: password
userrolename: memberOf
rolename: cn
resolve_nested_roles: true
userbase: 'ou=users,dc=prod,dc=com'
usersearch: '(sAMAccountName={0})'
I’ll try to test your approach with different ADs and configured trust.
i’ll try it (today probably) and let you know if it help or not.
regards
if authc appends in dc=prod,dc=com and authz appends in dc=dev,dc=com => it doesn’t work.
something with the trust. Maybe it’s simply not supported…
regards
FYI
I got the last week contact with AWS (Specialist Solutions Architect - Analytics
Amazon Web Services) about this. The question about “trust” and one AD to authenticate /another one to authorize will be asked to the security team.
Waiting news.
cya
still no news until now, i will ask an update.
Meanwhile, we are using authc and authz within the same AD domain.
but i’ve another question => another topic