DLS using multiple LDAP attributes in a term query

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch & Dashboards 2.13.0

Describe the issue:
I need to configure DLS in my Opensearch instance, based on an integer field. Can i use the “terms” query on integers, is there another query type for integers, or do i need to change the field type to keyword?

LDAP authentication & authorization

So I changed the field to a keyword since that is really more accurate anyway, and I am starting to get things to work.

Now my problem is this: How do I set the list of terms via an LDAP attribute? Does the LDAP server need to preformat the terms as a JSON array in a single attribute?

e.g. should the LDAP server return
allowedTerms: “1”, “2”, “3”, “4”
allowedTerms: “[1, 2, 3, 4]”

How does the template substitution work: does it try to understand the data or just insert the raw text of the substitute into the JSON query definition?

Hi @merlinz01,

The security_attributes of the index need to be of type keyword. According to (Document-level security - OpenSearch Documentation)

Have you tried using “custom_attribute_names” from your LDAP?

You can use the below to check “custom_attribute_names”:

curl --insecure -u <ldap_user>:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty


  "user" : "User [name=xxx, backend_roles=[xx,xx,xx], requestedTenant=null]",
  "user_name" : "xxx",
  "user_requested_tenant" : null,
  "remote_address" : "xxx.xxx.xxx.xxx:xxxx",
  "backend_roles" : [xxx,xxx,xxx ],
  "custom_attribute_names" : [

Please check here if “using DLS and multiple roles”:


Thanks, I had already figured it out. As I mentioned I changed the relevant field to the keyword type. I have my LDAP integration server return, in one of the LDAP user attributes, a JSON-formatted list of the various terms the user may access, and it inserts that into the DLS query like so:
{ "terms": { "organization": [ ${attr.ldap.allowedOrganizationIDs} ] } }
and the LDAP attribute is formatted like "123", "456", "789".
I had to also return the backend roles for the user in the memberOf attribute.

1 Like