LDAP backend roles (Authz) not working

Hi,

We are not getting the OS LDAP Authorization (Authz) part with backend roles to work, although LDAP Authentication works.

All users that need to be authorized are placed in LDAP in the “ldap_test_group” below ou=groups,dc=xxxx,dc=xx

The env is running Opensearch v2.6.0 on RHEL 8 with OpenLDAP authentication and PosixGroups/Accounts.

Would really appreciate som help in solving this, all config sections are below.

#1#
/usr/opensearch/config/opensearch-security/config.yml

authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap
      config:
        pemtrustedcas_filepath: /usr/opensearch/config/cert/xxxx.pem
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        hosts:
        - ldap-xxxx.xxxx.xx:8443
        bind_dn: cn=ldapuser,dc=xxxx,dc=xx
        password: "xxxxx"
        userbase: 'ou=users,dc=xxxx,dc=xx'
        usersearch: '(uid={0})'
        username_attribute: "uid"
        skip_users:
         - admin
         - kibanaserver
        rolebase: 'ou=groups,dc=xxxx,dc=xx'
        rolesearch: '(memberUid={0})'
        userroleattribute: null
        userrolename: disabled
        rolename: cn
        resolve_nested_roles: false

#2#
/usr/opensearch/config/opensearch-security/internal_users.yml

#admin
admin:
hash: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
reserved: true
backend_roles:
- “admin”
- “ldap_test_group”
description: “admin user”

#3#
/usr/opensearch/config/opensearch-security/roles_mapping.yml

all_access:
reserved: false
backend_roles:
- “admin”
- “cn=ldap_test_group,ou=groups,dc=xxxx,dc=xx”
description: “Maps admin to all_access”

We have also tried changing the above line in roles_mapping.yml from “cn=ldap_test_group,ou=groups,dc=xxxx,dc=xx” to “ldap_test_group” but it does not solve the issue.

When testing manually with ldapsearch and the ldap_test_user which is a member of the ldap_test_group it works.

ldapsearch -w ‘xxxxx’ -x -D “cn=ldapuser,dc=xxxx,dc=xx” -b “ou=groups,dc=xxxx,dc=xx” -H ldaps://ldap-xxxx.xxxx.xx:8443 ‘(memberUid=ldap_test_user)’ ‘cn’

Best Regards
//Dennis

@denkar Would you mind sharing your LDAP authc section too?

@denkar Please run the below command with the test user and share the output.

curl --insecure -u <ldap_user> -XGET https://<OpenSearch_node>:9200/_plugins/_security/authinfo?pretty

@denkar Try this in authz section:

rolesearch: '(member={0})'

instead of:

rolesearch: '(memberUid={0})'

Hi,

When running the command we get:

curl --insecure -u ldap_test_user -XGET https://opensearch-app-test.xxxxx.xx:9200/_plugins/_security/authinfo?pretty

{
  "user" : "User [name=ldap_test_user, backend_roles=[], requestedTenant=null]",
  "user_name" : "ldap_test_user",
  "user_requested_tenant" : null,
  "remote_address" : "10.126.2.118:41830",
  "backend_roles" : [ ],
  "custom_attribute_names" : [
    "ldap.dn",
    "attr.ldap.hasSubordinates",
    "attr.ldap.cn",
    "attr.ldap.entryUUID",
    "attr.ldap.gidNumber",
    "attr.ldap.sshPublicKey",
    "attr.ldap.subschemaSubentry",
    "attr.ldap.createTimestamp",
    "attr.ldap.modifyTimestamp",
    "ldap.original.username",
    "attr.ldap.creatorsName",
    "attr.ldap.uidNumber",
    "attr.ldap.homeDirectory",
    "attr.ldap.structuralObjectClass",
    "attr.ldap.objectClass",
    "attr.ldap.uid",
    "attr.ldap.modifiersName"
  ],
  "roles" : [
    "own_index"
  ],
  "tenants" : {
    "ldap_test_user" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

Changing rolesearch from ‘(memberUid={0})’ to rolesearch: ‘(member={0})’ doesnt make any difference.

LDAP authc section is below:

    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            pemtrustedcas_filepath: /usr/opensearch/config/cert/xxxx.pem
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - ldapxxxx.xxxxxx.xx:8443
            bind_dn: cn=ldapxxx,dc=xxxxx,dc=xx
            password: "xxxxx"
            userbase: 'ou=users,dc=xxxxx,dc=xx'
            usersearch: '(uid={0})'
            username_attribute: uid

We want all the users in a specific ldap group to have admin access in Opensearch.
We never speciify the user names only the group.

//Dennis

Here is a slightly modified screenshot from our Openldap,

image844×459 63.3 KB

@denkar Could you run authinfo curl command again after making the change in the config.yml?
Did you apply the change to the cluster with securityadmin.sh?

Ran the authinfo curl command again with the same results.

here is the new config.yml authz section:

        rolebase: 'ou=groups,dc=xxxxx,dc=xx'
        rolesearch: '(member={0})'
        userroleattribute: null
        userrolename: none
        rolename: "name"
        resolve_nested_roles: false

Applied the changes afterwards with securityadmin.sh , but the backend role is still missing

Best Regards
//Dennis

Hi again,

Here comes some more command output.

authinfo against admin shows:

curl --insecure -u admin -XGET https://opensearch_xxxx.xxxxx.xx:9200/_plugins/_security/authinfo?pretty
Enter host password for user 'admin':
{
  "user" : "User [name=admin, backend_roles=[admin], requestedTenant=null]",
  "user_name" : "admin",
  "user_requested_tenant" : null,
  "remote_address" : "10.126.2.118:34280",
  "backend_roles" : [
    "admin"
  ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "own_index",
    "all_access"
  ],
  "tenants" : {
    "global_tenant" : true,
    "admin_tenant" : true,
    "admin" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

authinfo against ldap_test_user shows:

curl --insecure -u ldap_test_user -XGET https://opensearch_xxxx.xxxxx.xx:9200/_plugins/_security/authinfo?pretty
Enter host password for user 'ldap_test_user':
{
  "user" : "User [name=ldap_test_user, backend_roles=[], requestedTenant=null]",
  "user_name" : "ldap_test_user",
  "user_requested_tenant" : null,
  "remote_address" : "10.126.2.118:47090",
  "backend_roles" : [ ],
  "custom_attribute_names" : [
    "ldap.dn",
    "attr.ldap.hasSubordinates",
    "attr.ldap.cn",
    "attr.ldap.entryUUID",
    "attr.ldap.gidNumber",
    "attr.ldap.sshPublicKey",
    "attr.ldap.subschemaSubentry",
    "attr.ldap.createTimestamp",
    "attr.ldap.modifyTimestamp",
    "ldap.original.username",
    "attr.ldap.creatorsName",
    "attr.ldap.uidNumber",
    "attr.ldap.homeDirectory",
    "attr.ldap.structuralObjectClass",
    "attr.ldap.objectClass",
    "attr.ldap.uid",
    "attr.ldap.modifiersName"
  ],
  "roles" : [
    "own_index"
  ],
  "tenants" : {
    "ldap_test_user" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

@denkar In your outputs you’ll notice that backend_roles array is empty. This should contain all the groups assigned to the user in the IdP (OpenLdap).

When you look at the OpenLdap logs you’ll find the similar line

conn=1234 op=2 SRCH base="ou=groups,dc=example,dc=org" scope=2 deref=3 filter="(member=cn=user1,ou=users,dc=example,dc=org)"

This is how OpenLdap searches for a user in each group. I’m not sure if this is configurable.

Looking at your screenshot I assume that you’ve set memberUid as I did the first time.
Instead of typing the full user’s DN you’ve just typed the user’s CN.
Since the filter is using full DN to search the members in the group the result will be empty.

I’ve fixed that by adding the user’s DN as memberUid.

image697×530 21.3 KB

I hope this will help.

Thanks a lot for helping us pablo, now it works!

Best Regards
//Dennis