Custom user attributes for LDAP users

Hi all,

I would like to know if there is any way to create custom attributes for users that are authenticated against LDAP (Active Directory). Basically I don’t want to use any LDAP attributes but I want a new set of attributes that I manage inside opensearch.

First, is there any supported way to do so?

Second, can I create internal users with user names matching the LDAP users and then add my custom attributes?

Third, I noticed that it is possible to create internal users with empty hash as the password. What is the implication of that? Would the user be able to login through LDAP basic authentication?

The internal users and LDAP users are independent of one another, therefore creating internal users that match LDAP users will not have the desired effect.

Regarding the empty password, this should not be used and login is not possible with created user. This is also displayed if you try to create a user without a password using OpensearchDashboards.

There is currently no way that I know of to achieve the behaviour you are looking for, I would recommend to submit a feature request here and link this case here and visa-versa, to help other users with similar request.

Currently the REST API accepts empty hash and would create the account. Either it should reject the empty hash, just like the UI does, or it should allow it in the UI too.

Yes, this certainly looks like a bug, would be a good idea to raise a bug on the same link.