DLS using multiple LDAP attributes in a term query

merlinz01 · May 4, 2024, 4:39pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch & Dashboards 2.13.0

Describe the issue:
I need to configure DLS in my Opensearch instance, based on an integer field. Can i use the “terms” query on integers, is there another query type for integers, or do i need to change the field type to keyword?

Configuration:
LDAP authentication & authorization

merlinz01 · May 4, 2024, 7:44pm

So I changed the field to a keyword since that is really more accurate anyway, and I am starting to get things to work.

Now my problem is this: How do I set the list of terms via an LDAP attribute? Does the LDAP server need to preformat the terms as a JSON array in a single attribute?

e.g. should the LDAP server return
allowedTerms: “1”, “2”, “3”, “4”
or
allowedTerms: “[1, 2, 3, 4]”

How does the template substitution work: does it try to understand the data or just insert the raw text of the substitute into the JSON query definition?

Mantas · May 7, 2024, 10:38am

Hi @merlinz01,

The security_attributes of the index need to be of type keyword. According to (Document-level security - OpenSearch Documentation)

Have you tried using “custom_attribute_names” from your LDAP?

You can use the below to check “custom_attribute_names”:

curl --insecure -u <ldap_user>:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

sample:

{
  "user" : "User [name=xxx, backend_roles=[xx,xx,xx], requestedTenant=null]",
  "user_name" : "xxx",
  "user_requested_tenant" : null,
  "remote_address" : "xxx.xxx.xxx.xxx:xxxx",
  "backend_roles" : [xxx,xxx,xxx ],
  "custom_attribute_names" : [
    "attr.ldap.xxx",
    "attr.ldap.yyy",
    "attr.ldap.zzz",
	.
	.
  .
  .
 }

Please check here if “using DLS and multiple roles”:

best,
mj

merlinz01 · May 7, 2024, 2:17pm

Thanks, I had already figured it out. As I mentioned I changed the relevant field to the keyword type. I have my LDAP integration server return, in one of the LDAP user attributes, a JSON-formatted list of the various terms the user may access, and it inserts that into the DLS query like so:
{ "terms": { "organization": [ ${attr.ldap.allowedOrganizationIDs} ] } }
and the LDAP attribute is formatted like "123", "456", "789".
I had to also return the backend roles for the user in the memberOf attribute.

Topic		Replies	Views
How to use attribute parameter substitution for DLS when user is authenticated through SAML Security	4	379	May 25, 2023
Document-level security - User attributes from LDAP Security	1	1142	April 26, 2021
How to pass multiple values of user attribute dynamically to DLS in role? Security	6	29	November 6, 2024
LDAP Configuration for OpenSearch Dashboard OpenSearch Dashboards	4	66	October 15, 2024
Document-level security - substitution for array of attributes Security	1	579	December 2, 2020

DLS using multiple LDAP attributes in a term query

Related topics