Authentication via LDAP, only allow certain security groups


We have the following configuration for our Active Directory backend:

        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 1
          type: basic
          challenge: true
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
            # enable ldaps
            enable_ssl: true
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            - adserver1:636
            - adserver2:636
            bind_dn: "CN=useraccount,OU=Service,OU=Resource Accounts,OU=Users,OU=cmopanyname,DC=company,DC=com"
            password: "password"
            userbase: "OU=Sites,OU=company,DC=company,DC=company"
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: sAMAccountName

This currently works but we need to restrict this to only certain users in specific security groups. We’ve tried setting the userbase to the security group in question like this:

userbase: “CN=testgroup,OU=Sites,OU=company,DC=company,DC=company”

But then opendistro cannot find the users anymore and wont work. How can we restrict authentication to only certain users in a security group using the Active Directory backend? I’ve scoured the internet for answers regarding this but i have not been able to find anything

Could someone please take a look at this?

bind_dn: ‘uid=ldapauthuser,ou=ServiceAccounts,ou=users,dc=global,dc=company,dc=com’
password: ldapauthuserpwd
rolebase: ‘ou=corporate,ou=ActiveDirectory,ou=Groups,dc=global,dc=company,dc=com’

rolesearch: ‘(&(|(cn=ELK)(cn=splunk))(uniqueMember={0}))’

userroleattribute: null

userrolename: disabled

rolename: cn

resolve_nested_roles: true
userbase: ‘ou=Employees,ou=users,dc=global,dc=compnay,dc=com’

usersearch: ‘(uid={0})’

this is what i have in my setup…

userbase - is where you get list of users
rolesearch - is where you limit specify security groups that you want to limit to. in my case i have two wildcard searches with an | (or). this allows me to have users in multiple groups so i can secure specific indexes

This will again depend on your AD setup.

1 Like

@victor Did this solve the problem for you?

Recognizing this thread is a bit dated at now, but wanted to share another possible solution in case others run into the same problem. I ended up going the route of adding the following to the authc → ldap section of /etc/opensearch/opensearch-security/config.yml in order to limit authentication to a single group:

usersearch: '(&(objectClass=user)(sAMAccountName={0})(memberOf=CN=OpenSearch Admins,OU=Groups,DC=subdomain,DC=domain,DC=tld))'

Please note the CN, subdomain, domain, and TLD would need to match your environment, along with other LDAP things such as sAMAccountName and memberOf. I have not tested it yet, but I’m pretty sure you can use an or operator “|” to support multiple groups/CNs.

Happy OpenSearching!