Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch v1.3.6
OpenSearch Dashboard v1.3.6
Describe the issue:
In the Opensearch LDAP configuration, I want users only from specified rolegroups to be authorized onto Opensearch Dashboard.
As I understand, I can authorize a userbase in dashboards. But is it possible to only take users from a rolebase?
Could I leave out the userbase to achieve this?
Configuration:
config.yml as implemented by the standard config
According to this answer it should be possible!
Can I use primary-rolebase to look for memberOf? And can I look for members in more than one rolegroup?
Authentication:
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
pemtrustedcas_filepath: "/usr/share/opensearch/config/{{ opensearch_root_ca }}"
hosts:
- example.host:port
bind_dn: "{{ ldap_bind_dn }}"
password: "{{ ldap_pass }}"
users:
primary-userbase:
base: "{{ ldap_userbase }}"
search: '(&(objectClass=user)(sAMAccountName={0})(memberOf=CN=OpenSearch Admins,OU=Groups,DC=subdomain,DC=domain,DC=tld))'
username_attribute: cn
skip_users:
- admin
- kibanaserver
Authorization:
authz:
roles_from_ldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
pemtrustedcas_filepath: "/usr/share/opensearch/config/{{ opensearch_root_ca }}"
hosts:
- example.host:port
bind_dn: "{{ ldap_bind_dn }}"
password: "{{ ldap_pass }}"
rolebase: "{{ ldap_rolebase }}"
rolesearch: '(member={0})'
userroleattribute: null
userrolename: memberOf
rolename: cn
resolve_nested_roles: true
users:
primary-userbase:
base: "{{ ldap_userbase }}"
search: '(&(objectClass=user)(sAMAccountName={0})(memberOf=primary-rolebase')
roles:
primary-rolebase:
base: "{{ ldap_rolebase }}"
search: '(member={0})'
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
skip_users:
- admin
- kibanaserver