@LGRroles_from_myldap and roles_from_another_ldap are just lables.
You don’t need to configure a second authz domain.
If you configure two authz domains then the authorization process will be executed in the order they’re configured in the authz section. This is a logical OR operation, so the first hit will stop the process.
If the authz match will be found in the first domain then the second one won’t be checked.
our last try was to use ‘ObjectSid’ because when you add a “trusted” user account this what will be used to determine against which domain the credential has to be checked.
authc:
ldap:
description: "Authenticate via LDAP or Active Directory"
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
hosts:
- prod.com:389
bind_dn: CN=someone,DC=prod,DC=com
password: apassword
userbase: 'ou=users,dc=prod,dc=com'
usersearch: '(sAMAccountName={0})'
username_attribute: sAMAccountName
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
hosts:
- dev.com:389
bind_dn: CN=someone,DC=dev,DC=com
password: apassword
rolebase: 'OU=Groups,DC=dev,DC=com'
rolesearch: '(Member={2})'
userroleattribute: ObjectSid
userrolename: disabled
rolename: cn
resolve_nested_roles: true
userbase: "CN=ForeignSecurityPrincipals,DC=dev,DC=com"
usersearch: '(ObjectSid={0})'
still no clue until now
[ERROR][o.o.s.a.BackendRegistry ] [hostname] Cannot retrieve roles for User [name=aUser@prod.com, backend_roles=, requestedTenant=null]
from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user ‘CN=aUser,DC=prod,DC=com’ found]];
nested: OpenSearchSecurityException[No user ‘CN=aUser,DC=prod,DC=com’ found];
org.opensearch.OpenSearchSecurityException: OpenSearchSecurityException[No user ‘CN=aUser,DC=prod,DC=com’ found] at com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend.fillRoles(LDAPAuthorizationBackend.java:945) ~[opensearch-security-1.3.2.0.jar:1.3.2.0]
i’ve to mention that we’re still running opensearch 1.3.2
yes about “someone” : i’ve a bind account for Prod and a bind account for Dev.
my perception is no matter what, opensearch is looking for the user DN in the domain mentioned in the authz.
i will do a few test with a ldapsearch tool alike
thanks for your time
edit : to be complete = > we have 1Forest/1domain trusting 1forest/1domain
I got the last week contact with AWS (Specialist Solutions Architect - Analytics
Amazon Web Services) about this. The question about “trust” and one AD to authenticate /another one to authorize will be asked to the security team.