DLS and LDAP Backend Roles _opendistro_security_dls_query does not match (SG 900D)

Security
1

Opensearch 2.0 with LDAP for auth & authz configured and working

We try to add DLS to be backed by LDAP Backend Roles, but we no luck. We see a stack trace with “_opendistro_security_dls_query does not match (SG 900D)” in the opensearch logs.
(Kibana Web: statusCode: 500)
If we configure the users as local internal users and add backend roles to this local users, everything works as expected

As we tried to investigate the differences between local users and ldap users we can see for local users and ldap users without DLS restrictions and internal index with 1 at least document:

green open .kibana_97499_bha_1 EV8J1ZBuQNC7DkWwBAx2aQ 1 1 1 0 10.4kb 5.2kb

for ldap DLS user the internal index is created as well, but empty
green open .kibana_3553523_abc_1 Wj6Yf7hvR7O165Pw5HuUFA 1 1 0 0 416b 208b

If we remove DLS restrictions for that role and let the user login once, the internal index will be properly created and after the DLS is working (after adding restriction again)

What we have configured
Role: all_webapps_role / Cluster permissions: unlimited / Index permissions: logstash-dlsapp-* / Internal Users: - / Backend roles: All.Web.User / Tenanats all_web_tenant

Mapped Users:
User type: Backend role / User: All.Web.User

curl -k -u abc:test -XGET “https://localhost:9200/_opendistro/_security/authinfo?pretty

{
“user” : “User [name=abc, backend_roles=[All.645.User, All.Web.User, All.Web.Tenant], requestedTenant=null]”,
“user_name” : “abc”,
“user_requested_tenant” : null,
“remote_address” : “127.0.0.1:47460”,
“backend_roles” : [
“All.645.User”,
“All.Web.User”,
“All.Web.Tenant”
],
“custom_attribute_names” : [
“ldap.dn”,
“attr.ldap.hasSubordinates”,
“attr.ldap.entryUUID”,
“attr.ldap.pwdChangedTime”,
“attr.ldap.windowsAccount”,
“attr.ldap.nsUniqueId”,
“attr.ldap.subschemaSubentry”,
“attr.ldap.createTimestamp”,
“attr.ldap.modifyTimestamp”,
“ldap.original.username”,
“attr.ldap.orclGUID”,
“attr.ldap.creatorsName”,
“attr.ldap.sAMAccountName”,
“attr.ldap.numSubordinates”,
“attr.ldap.structuralObjectClass”,
“attr.ldap.changelog”,
“attr.ldap.objectClass”,
“attr.ldap.uid”,
“attr.ldap.ds-sync-hist”,
“attr.ldap.modifiersName”
],
“roles” : [
“kibana_user”,
“all_webapps_role”
],
“tenants” : {
“all_web_tenant” : true,
“global_tenant” : true,
“abc” : true
},
“principal” : null,
“peer_certificates” : “0”,
“sso_logout_url” : null
}

Anybody got DLS with LDAP Backend working?
Any hint would by very mutch appreciated!

2

@Bruno How is your own_index role configured? Does it appear for local users?

3

@pablo

image
image1420×149 15.4 KB

For local (internal users), we see 2 Roles: kibana_user, webapps
For ldap managed users we see similar Roles: kibana_user, all_webapps_role

4

@Bruno It looks like your own_index role was modified. User mapping has been removed. This will affect LDAP users too.

By default it is set as below.

image
image1553×233 18.8 KB

image
image1293×425 23 KB

Try to revert the change in your own_index and mapping as per screenshots.

5

@pablo Thank you for your reply!
I did what you sugested but still have the same issue:

image
image1353×125 9.7 KB