Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch v2.8.0/Debian 11/Chrome
Describe the issue:
We have 2 different LDAP servers - some users are authenticated against one server, other are against another onw.
When 2 LDAP authz blocks are configured for each of these servers, we receive a lot of errors of type “Could not follow referral to ldaps:…” and "Cannot retrieve roles for User ", though users can login and retrieve their mapped roles.
I believe Opensearch tries to authorize a user in each of the configured authz backends hence the errors. Is there a way to use 2 LDAP authz backends and not have those errors?
Configuration:
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
authc:
basic_internal:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 3
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
ldap_first:
description: "Authenticate via first Active Directory"
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- first.host
bind_dn: "some-user"
password: "some-pass"
userbase: "some-base"
usersearch: "(sAMAccountName={0})"
username_attribute: "sAMAccountName"
ldap_second:
description: "Authenticate via second Active Directory"
http_enabled: true
transport_enabled: true
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- second.host
bind_dn: "another-user"
password: "another-pass"
userbase: "naother-base"
usersearch: "(sAMAccountName={0})"
username_attribute: "sAMAccountName"
authz:
ldap_first_roles:
description: "Authorize via first Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- first.host
bind_dn: "some-user"
password: "some-pass"
userbase: "some-base"
usersearch: "(sAMAccountName={0})"
username_attribute: cn
rolebase: "some-rolebase"
rolesearch: '(member={0})'
rolename: cn
resolve_nested_roles: false
skip_users:
- admin
- kibanaserver
- logstash
- zabbix
ldap_second_roles:
description: "Authorize via second Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- second.host
bind_dn: "another-user"
password: "another-pass"
userbase: "another-base"
usersearch: "(sAMAccountName={0})"
username_attribute: cn
rolebase: "another-rolebase"
rolesearch: '(member={0})'
rolename: cn
resolve_nested_roles: true
max_nested_depth: 1
skip_users:
- admin
- kibanaserver
- logstash
- zabbix
Relevant Logs or Screenshots:
[2023-07-21T10:42:52,041][WARN ][o.l.r.SearchReferralHandler] [LOGSTORE-SB-01] Could not follow referral to ldaps://…
org.ldaptive.LdapException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839]
[2023-07-21T10:42:52,043][ERROR][o.o.s.a.BackendRegistry ] [LOGSTORE-SB-01] Cannot retrieve roles for User [name=