Ldap authorization is performing excessive number of queries

Security
1

Version: opensearch-2.19.2-1.x86_64

Describe the issue:
For users who have many groups, the login speed is extremely slow, because opensearch, in particular authz, for some reason makes a request to every group it finds for the user. This is observed with different configurations (I gave 2 options below) and I can’t find how to make it not do this. It already has a list of groups - why is it making more requests?

Configuration:
1)

    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
            - ipa.xxxxx.com:389
            bind_dn: 'uid=opensearch,cn=users,cn=accounts,dc=somedomain,dc=com'
            password: yyyyyy
            rolebase: 'cn=groups,cn=accounts,dc=somedomain,dc=com'
            rolesearch: '(member={0})'
            userrolename: disabled
            rolename: cn
            rolesearch_enabled: true
            resolve_nested_roles: false
            skip_users:
               - 'admin'
               - 'kibanaserver'
               - 'logstash'

2)

    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: false
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
            - ipa.xxxxx.com:389
            bind_dn: 'uid=opensearch,cn=users,cn=accounts,dc=somedomain,dc=com'
            password: yyyyy
            userrolename: memberOf
            rolename: cn
            rolesearch_enabled: false
            resolve_nested_roles: false
            skip_users:
               - 'admin'
               - 'kibanaserver'
               - 'logstash'

Logs:
I’m not sure which of the tons of queries are needed, but after getting the user’s group list it runs hundreds of queries like this:

{"type": "server", "timestamp": "2025-07-09T19:28:42,970Z", "level": "DEBUG", "component": "o.l.SearchOperation", "cluster.name": "dev-logs", "node.name": "xxxxxx", "message": "execute request=[org.ldaptive.SearchRequest@1337559277::baseDn=cn=GROUP1,cn=groups,cn=accounts,dc=somedomain,dc=com, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[*, +], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=0, derefAliases=ALWAYS, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@488de54c], controls=null, referralHandler=org.ldaptive.referral.SearchReferralHandler@50f5fc7, intermediateResponseHandlers=null] with connection=com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend$4@6d44e4f", "cluster.uuid": "6b9MDxGzSiWWr7FK-UUrCA", "node.id": "_JFKdsC4QO-cVV64eyxySA"  }
{"type": "server", "timestamp": "2025-07-09T19:28:42,987Z", "level": "DEBUG", "component": "o.l.SearchOperation", "cluster.name": "dev-logs", "node.name": "xxxxxx", "message": "execute request=[org.ldaptive.SearchRequest@1844628746::baseDn=cn=GROUP2,cn=groups,cn=accounts,dc=somedomain,dc=com, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[*, +], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=0, derefAliases=ALWAYS, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@7b4bf276], controls=null, referralHandler=org.ldaptive.referral.SearchReferralHandler@3efc14c6, intermediateResponseHandlers=null] with connection=com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend$4@6d44e4f", "cluster.uuid": "6b9MDxGzSiWWr7FK-UUrCA", "node.id": "_JFKdsC4QO-cVV64eyxySA"  }
2

Hi @Decim, has this worked differently before? Did you use older versions of OpenSearch?
Your config looks good.

The debug messages that you’re observing are produced by OpenSearch Dashboards. Do you see any additional logging in OpenSearch nodes?

How many groups does your average user have assigned?

3

>How many groups does your average user have assigned?

80-120
This is partly due to the peculiarities of ldap, which adds entities similar to “cn=System: Manage HBAC Rule Membership,cn=permissions,cn=pbac,dc=somedomain,dc=com” to memberof, but in any case, even without this, even if there are only 20 groups, login may take a little while. When there are only a few groups (I think up to 5-10) - of course everything looks good

The debug messages that you’re observing are produced by OpenSearch Dashboards. Do you see any additional logging in OpenSearch nodes?

How to distinguish “dashboards” messages from opensearch messages? And should I see some ldap messages there if ldap for transport is disabled?

has this worked differently before? Did you use older versions of OpenSearch?

Unfortunately, I can only talk about versions starting from 2.18 and there was the same problem (opensearch starts making requests to each group that it found for the user)

4

@Decim I’ve just checked again, and these logs look like OpenSearch logs processed by Logstash or another tool.
Do you process your OpenSearch logs?

Regarding the DEBUG level, did you change anything in log4j2.properties?
DEBUG level is not enabled out of the box, at least not in Docker version.

This is my config.

# Copyright OpenSearch Contributors
# SPDX-License-Identifier: Apache-2.0
#
# The OpenSearch Contributors require contributions made to
# this file be licensed under the Apache-2.0 license or a
# compatible open source license.

status = error

appender.console.type = Console
appender.console.name = console
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n

rootLogger.level = info
rootLogger.appenderRef.console.ref = console
5

@Decim Did you enable debugging to fix your performance issue? Extensive logging can also slow down your OpenSearch nodes.

I’ve tested OpenSearch with LDAP secured authentication and LDAP user with 60 nested groups. I haven’t notice big performance issues.

1 Like