User not found error despite user existing (LDAP)

kjk2161 · February 28, 2024, 3:54pm

Hello, and happy Wednesday!

We have a 2.8 cluster with a mix of both internal users and LDAP users. Our config has the internal domain at Order 0, and the LDAP domain at Order 1. Despite this, I am seeing the below error in our logs for an internal user:

Cannot retrieve roles for from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user USER found]]; nested: OpenSearchSecurityException[No user found];

This is not expected is it? I"m wondering why the cluster is pinging LDAP if the internal user was already found.

kjk2161 · February 28, 2024, 4:11pm

I see another post suggesting to add “skip_users” and manually add internal users. It doesn’t make sense to me that LDAP would be pinged when the internal user was already found in the order 0 domain.

Mantas · February 28, 2024, 5:47pm

Hi @kjk2161,

That is correct you will need to use skip_users in your config to prevent this behaviour.

sample:

skip_users:
        - admin
        - kibanaserver

Please see more here: Active Directory and LDAP - OpenSearch Documentation

Best,
mj

kjk2161 · February 28, 2024, 5:56pm

Appreciate it @Mantas .

Just curious why skip users is needed though? I was under the impression that once a user is auth at a domain, security skips auth in other domains?

Topic		Replies	Views
Avoiding 'Cannot retrieve roles for User' with internaluser and LDAP Security	4	1464	June 20, 2023
Users from internal db checked over LDAP Security	2	1976	July 12, 2019
Using roles from LDAP only for LDAP users Security	2	607	March 19, 2020
Internal users issue Security	7	65	September 19, 2024
LDAP user getting missing role error, then able to login successfully 1 hour later Security	3	329	March 25, 2024

User not found error despite user existing (LDAP)

Related topics