Internal user not able to perform any operation

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.7.0

Describe the issue:

I added xxx internal user through the opensearch UI and I’m now trying to do any kind of operation with said user but opensearch doesn’t seem to recognize him, instead it is looking for him elsewhere (LDAP server)

Configuration:

Relevant Logs or Screenshots:

No ‘Authorization’ header, send 401 and ‘WWW-Authenticate Basic’
[2023-06-20T13:41:35,730][WARN ][c.a.d.a.l.b.LDAPAuthorizationBackend] [opensearch-cluster-ingest-2] In order to disable host name verification for LDAP connections (verify_hostnames: true), you also need to set set the system property com.sun.jndi.ldap.object.disableEndpointIdentification to true when starting the JVM running OpenSearch. This applies for all Java versions released since July 2018.
[2023-06-20T13:41:35,810][ERROR][o.o.s.a.BackendRegistry ] [opensearch-cluster-ingest-2] Cannot retrieve roles for User [name=xxx, backend_roles=[ingest], requestedTenant=null] from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user xxx found]]; nested: OpenSearchSecurityException[No user xxx found];
org.opensearch.OpenSearchSecurityException: OpenSearchSecurityException[No user xxx found]

@vmm-afonso Please share your config.yml

_meta:
type: “config”
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: < internalProxies>
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: “kerberos”
challenge: true
config:
krb_debug: false
strip_realm_from_principal: true
authentication_backend:
type: “noop”
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: “basic”
challenge: true
authentication_backend:
type: “intern”
proxy_auth_domain:
description: “Authenticate via proxy”
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: “proxy”
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: “noop”
jwt_auth_domain:
description: “Authenticate via Json Web Token”
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: “jwt”
challenge: false
config:
signing_key: “base64 encoded HMAC key or public RSA/ECDSA pem key”
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type: “noop”
clientcert_auth_domain:
description: “Authenticate via SSL client certificates”
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: “clientcert”
config:
username_attribute: “cn”
challenge: false
authentication_backend:
type: “noop”
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: false
order: 5
http_authenticator:
type: “basic”
challenge: false
authentication_backend:
type: “ldap”
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- “”
bind_dn: “ou=xxx,ou=xxx,ou=xxx,dc=xxx,dc=xxx”
password:
userbase: “ou=xxx,ou=xxx,dc=xxx,dc=xxx”
usersearch: “(uid={0})”
username_attribute: “dn”
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: false
authorization_backend:
type: “ldap”
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- “”
bind_dn: “ou=xxx,ou=xxx,ou=xxx,dc=xxx,dc=xxx”
password:
rolebase: “ou=xxx,ou=xxx,ou=xxx,dc=xxx,dc=xxx”
rolesearch: “(member={0})”
userroleattribute: “member”
userrolename: “uid”
rolename: “cn”
resolve_nested_roles: true
userbase: “ou=xxx,ou=xxx,dc=xxx,dc=xxx”
usersearch: “(uid={0})”
skip_users:
- “cn=x”
roles_from_another_ldap:
description: “Authorize via another Active Directory”
http_enabled: false
transport_enabled: false
authorization_backend:
type: “ldap”

I did try adding the mentioned internal user to authz “skip_users” without much success, but I may have not done it the right way here not sure

@vmm-afonso Can you authenticate/authorize using LDAP users in OpenSearch Dashboards?

Yes, I’m having no problem logging in to opensearch dashboards with LDAP users

@vmm-afonso If you use more than one authentication domain, the OpenSearch security plugin will try to authenticate against all of them in the defined order.
That’s why you see the observed errors in the OpenSearch logs. It’s not a bug, this is how the security plugin works by design.

In regards to the internal user. Did you assign any roles to that user? If so, could you share the corresponding entries from roles.yml and roles_mapping.yml, and the user’s name?