Only use a rolebase in LDAP config

zujiry · March 29, 2023, 12:17pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch v1.3.6
OpenSearch Dashboard v1.3.6

Describe the issue:

In the Opensearch LDAP configuration, I want users only from specified rolegroups to be authorized onto Opensearch Dashboard.

As I understand, I can authorize a userbase in dashboards. But is it possible to only take users from a rolebase?
Could I leave out the userbase to achieve this?

Configuration:

config.yml as implemented by the standard config
According to this answer it should be possible!

Can I use primary-rolebase to look for memberOf? And can I look for members in more than one rolegroup?

Authentication:

      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: "/usr/share/opensearch/config/{{ opensearch_root_ca }}"
            hosts:
              - example.host:port
            bind_dn: "{{ ldap_bind_dn }}"
            password: "{{ ldap_pass }}"
            users:
               primary-userbase:
                    base: "{{ ldap_userbase }}"
                    search: '(&(objectClass=user)(sAMAccountName={0})(memberOf=CN=OpenSearch Admins,OU=Groups,DC=subdomain,DC=domain,DC=tld))'
            username_attribute: cn
            skip_users:
              - admin
              - kibanaserver

Authorization:

    authz:
      roles_from_ldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: "/usr/share/opensearch/config/{{ opensearch_root_ca }}"
            hosts:
             - example.host:port
            bind_dn: "{{ ldap_bind_dn }}"
            password: "{{ ldap_pass }}"
            rolebase: "{{ ldap_rolebase }}"
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: memberOf
            rolename: cn
            resolve_nested_roles: true
            users:
               primary-userbase:
                    base: "{{ ldap_userbase }}"
                    search: '(&(objectClass=user)(sAMAccountName={0})(memberOf=primary-rolebase')
             roles:
                primary-rolebase:
                    base:  "{{ ldap_rolebase }}"
                    search:  '(member={0})'
             userroleattribute: null
             userrolename: none
            rolename: cn
            resolve_nested_roles: true
            skip_users:
              - admin
              - kibanaserver

Eugene7 · March 31, 2023, 12:06pm

Hi @zujiry !

You can specify the rolegroups using an LDAP query in the rolesearch parameter.

You can’t leave out userbase because it is used to specify the location where user information is stored.

You can look for members in more than one rolegroup. You can find more information about it in the documentation below: