Approach 2 no longer works after upgrading.
The LDAP server(FreeIPA) has all group memberships under the user as memberOf attribute.
authz:
ldap_roles:
description: "Authorize using LDAP"
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "freeipa-1:389"
bind_dn: uid=opensearch,cn=users,cn=accounts,dc=example,dc=com
password: "${password}"
userbase: cn=users,cn=accounts,dc=example,dc=com
usersearch: (uid={0})
username_attribute: uid
skip_users:
- admin
- kibanaserver
userroleattribute: memberOf
rolesearch_enabled: false
rolebase: cn=groups,cn=accounts,dc=example,dc=com
rolename: cn
What is the bug?
There are two methods to integrate LDAP auth documented here: https://docs.opensearch.org/latest/security/authentication-backends/ldap/#approach-1-query-the-role-subtree
https://docs.opensearch.org/latest/security/authentication-backends/ldap/#approach-2-use-a-users-attribute-as-the-role-name
Approach 2 no longer works after upgrading.
The LDAP server(FreeIPA) has all group memberships under the user as memberOf attribute.
How can one reproduce the bug?
Steps to reproduce the behavior:
Use a config similar to:
What is the expected behavior?
Roles to be resolved as they were in opensearch:2
What is your host/environment?
Do you have any additional context?
Related Forum posts:
https://forum.opensearch.org/t/ldap-login-does-not-work-after-upgrade-from-2-19-1-to-3-1-0/25603
https://forum.opensearch.org/t/solved-unable-to-log-in-with-ldap-after-upgrade-to-3-3/27360/4