Hi,
Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch and Dashboards - 2.11.0
Describe the issue:
Authorized with LDAP user is able to see all their LDAP groups as backend roles (“View roles and identities”). It would be nice to limit this list only to the groups contained in particular OU which specified in rolebase field. For my case it should be OU=OpenSearch,OU=Security Groups,DC=corp,DC=domain,DC=com
Configuration:
"authz": {
"ldap": {
"http_enabled": true,
"transport_enabled": true,
"authorization_backend": {
"type": "ldap",
"config": {
"enable_ssl": false,
"enable_start_tls": false,
"enable_ssl_client_auth": false,
"verify_hostnames": false,
"hosts": [
"ldap.corp.domain.com:389"
],
"bind_dn": "CN=OpenSearch,OU=System Services,DC=corp,DC=domain,DC=com",
"password": "the_password",
"userbase": "DC=corp,DC=domain,DC=com",
"usersearch": "(&(sAMAccountName={0})(memberof=CN=Permissions - opensearch,OU=OpenSearch,OU=Security Groups,DC=corp,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
"username_attribute": "sAMAccountName",
"rolebase": "OU=OpenSearch,OU=Security Groups,DC=corp,DC=domain,DC=com",
"rolesearch": "(member={0})",
"rolename": "cn"
}
}
}
}
I’ve read about exclude_roles and now I’m thinking about some regex like ^(?!Permissions - opensearch.*). But looks like this feature is available since 2.13, and I’m not sure about regex usage possibility.
I also wonder if it possible to use not only english letters in rolebase value?