User not found error despite user existing (LDAP)

Hello, and happy Wednesday!

We have a 2.8 cluster with a mix of both internal users and LDAP users. Our config has the internal domain at Order 0, and the LDAP domain at Order 1. Despite this, I am seeing the below error in our logs for an internal user:

Cannot retrieve roles for from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user USER found]]; nested: OpenSearchSecurityException[No user found];

This is not expected is it? I"m wondering why the cluster is pinging LDAP if the internal user was already found.

I see another post suggesting to add “skip_users” and manually add internal users. It doesn’t make sense to me that LDAP would be pinged when the internal user was already found in the order 0 domain.

Hi @kjk2161,

That is correct you will need to use skip_users in your config to prevent this behaviour.

sample:

skip_users:
        - admin
        - kibanaserver

Please see more here: Active Directory and LDAP - OpenSearch Documentation

Best,
mj

Appreciate it @Mantas .

Just curious why skip users is needed though? I was under the impression that once a user is auth at a domain, security skips auth in other domains?