LDAP - Hide unmapped backend roles

Security
1

I have linked opensearch to our active directory domain.
I also mapped some AD groups to the proper roles…

everything works but i noticed that Dashboards exposes too much information to the users…
specifically when a user clicks on “view roles and identities” the user can see every Active Directory group the user name is linked to (as backend roles) even if that group is never used in OpenSearch…

this is information i would like to hide as it shows details the user shouldn’t know.

does anyone know how to do that?

this is the closest thing i found

2

@anubisg1 I did some testing and found out that narrowing rolebase in authz of config.yml will decrease the number of visible groups.

In my case customer has groups in the Users and Users2 folders.

image

My rolebase is set to the Users folder and as result, I can only see groups from that folder.

image

1 Like
3

This is interesting …

this is the config i am testing right now

{
  "enable_ssl": false,
  "hosts": [
    "192.168.0.20:389",
    "192.168.0.21:389"
  ],
  "bind_dn": "CN=binduser,OU=Bind Users,OU=UsersOU,DC=customer,DC=company,DC=com",
  "password": "xxxxxx",
  "userbase": "OU=UsersOU,DC=customer,DC=company,DC=com",
  "usersearch": "(sAMAccountName={0})",
  "username_attribute": "sAMAccountName",
  "rolebase": "OU=OpenSearch,OU=User Security Groups - Customer,DC=customer,DC=company,DC=com",
  "rolesearch": "(uniqueMember={0})"
}

now, i see roles also from

OU=User Security Groups - Customer,DC=customer,DC=company,DC=com

even though i specified a more specific OU

4

i have also tried to add the following with no success

                    resolve_nested_roles: true
                    nested_role_filter:
                      - '^(?!.*OpenSearch.*$)'

that should match (and therefore filterout) everything except groups which have “OpenSearch” in them

image

5

@anubisg1 I did some testing and I still can see only the groups from the rolebase
My repro:

  1. User is located in OU=nested,OU=users2,dc=test,dc=local

  2. Group user2group is located in users2 OU and nested_group1 in nested OU

  3. user ldapuser6 has both groups assigned.
    image

  4. rolebase is set to OU=nested,OU=users2,dc=test,dc=local

  5. Running the below command returns only the nested group.

curl --insecure -u ldapuser6 -XGET https://localhost:9200/_plugins/_security/authinfo?pretty

image
image749×144 4.27 KB

  1. Also OpenSearch Dashboards returns the same.

image

6

Have you found a way to hide the unmapped backend roles?

7

Why isn’t there also the “Domain Users” as backend role shown on the UI?

8

@hm21 Domain Users are not listed as I’m pointing to a nested security group.

As per my screenshot only nested_group1 is in that nested security group.