From a78dc99e74147cd525f025d46e5fa4dae797e6c5 Mon Sep 17 00:00:00 2001 From: tronboto <142882846+tronboto@users.noreply.github.com> Date: Thu, 23 Apr 2026 20:08:07 +0100 Subject: [PATCH 1/3] fix Signed-off-by: tronboto <142882846+tronboto@users.noreply.github.com> --- .../backend/LDAPAuthorizationBackend.java | 4 ++++ .../ldap/LdapBackendTestNewStyleConfig.java | 23 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java index 7a672d5fdb..4a3e8d625d 100755 --- a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java +++ b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java @@ -936,6 +936,10 @@ public User addRoles(User user, AuthenticationContext context) throws OpenSearch } else { // DN roles, extract rolename according to config + if (connection == null) { + connection = getConnection(settings, configPath); + } + for (final LdapName roleLdapName : ldapRoles) { final String role = getRoleFromEntry(connection, roleLdapName, roleName); diff --git a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java index 5fb7b945e5..7fc2c59f98 100644 --- a/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java +++ b/src/test/java/org/opensearch/security/auth/ldap/LdapBackendTestNewStyleConfig.java @@ -725,6 +725,29 @@ public void testLdapAuthorizationNestedAttrNoRoleSearch() throws Exception { MatcherAssert.assertThat(user.getRoles(), hasItem("rolemo4")); } + @Test + public void testLdapAuthorizationRolesearchDisabledWithLdapAuthContext() throws Exception { + final Settings settings = Settings.builder() + .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) + .put("users.u1.search", "(uid={0})") + .put("users.u1.base", "ou=people,o=TEST") + .put("roles.g1.base", "ou=groups,o=TEST") + .put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn") + .put(ConfigConstants.LDAP_AUTHZ_ROLESEARCH_ENABLED, false) + .put(ConfigConstants.LDAP_AUTHZ_USERROLENAME, "description") + .build(); + + AuthenticationContext context = ctx("spock", "spocksecret"); + User user = new LDAPAuthenticationBackend(settings, null).authenticate(context); + user = new LDAPAuthorizationBackend(settings, null).addRoles(user, context); + + Assert.assertNotNull(user); + assertThat(user.getName(), is("cn=Captain Spock,ou=people,o=TEST")); + assertThat(user.getRoles().size(), is(2)); + Assert.assertTrue(user.getRoles().contains("dummyempty")); + Assert.assertTrue(user.getRoles().contains("rolemo4")); + } + @Test public void testCustomAttributes() throws Exception { From 055ae72bb8e76b6b1a4d9dc5ac2c76d70ccc7a92 Mon Sep 17 00:00:00 2001 From: tronboto <142882846+tronboto@users.noreply.github.com> Date: Mon, 27 Apr 2026 19:18:30 +0100 Subject: [PATCH 2/3] assign connection before if statement Signed-off-by: tronboto <142882846+tronboto@users.noreply.github.com> --- .../auth/ldap/backend/LDAPAuthorizationBackend.java | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java index 4a3e8d625d..82ac405d81 100755 --- a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java +++ b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java @@ -885,6 +885,10 @@ public User addRoles(User user, AuthenticationContext context) throws OpenSearch log.trace("roles count total {}", ldapRoles.size()); } + if (connection == null) { + connection = getConnection(settings, configPath); + } + // nested roles, makes only sense for DN style role names if (nestedRoleMatcher != null) { @@ -902,10 +906,6 @@ public User addRoles(User user, AuthenticationContext context) throws OpenSearch continue; } - if (connection == null) { - connection = getConnection(settings, configPath); - } - final Set nestedRoles = resolveNestedRoles( roleLdapName, connection, @@ -936,10 +936,6 @@ public User addRoles(User user, AuthenticationContext context) throws OpenSearch } else { // DN roles, extract rolename according to config - if (connection == null) { - connection = getConnection(settings, configPath); - } - for (final LdapName roleLdapName : ldapRoles) { final String role = getRoleFromEntry(connection, roleLdapName, roleName); From f0233054d44d37ec09bbe70400ee65b6da774513 Mon Sep 17 00:00:00 2001 From: tronboto <142882846+tronboto@users.noreply.github.com> Date: Wed, 29 Apr 2026 09:15:36 +0100 Subject: [PATCH 3/3] remove another redundant call Signed-off-by: tronboto <142882846+tronboto@users.noreply.github.com> --- .../auth/ldap/backend/LDAPAuthorizationBackend.java | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java index 82ac405d81..0dbf183fa4 100755 --- a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java +++ b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java @@ -832,6 +832,10 @@ public User addRoles(User user, AuthenticationContext context) throws OpenSearch userRoleAttributeValue = Utils.getSingleStringValue(userRoleAttribute); } + if (connection == null) { + connection = getConnection(settings, configPath); + } + if (rolesearchEnabled) { String escapedDn = dn; @@ -839,10 +843,6 @@ public User addRoles(User user, AuthenticationContext context) throws OpenSearch log.debug("DBGTRACE (8): escapedDn" + escapedDn); } - if (connection == null) { - connection = getConnection(settings, configPath); - } - for (Map.Entry roleSearchSettingsEntry : roleBaseSettings) { Settings roleSearchSettings = roleSearchSettingsEntry.getValue(); @@ -885,10 +885,6 @@ public User addRoles(User user, AuthenticationContext context) throws OpenSearch log.trace("roles count total {}", ldapRoles.size()); } - if (connection == null) { - connection = getConnection(settings, configPath); - } - // nested roles, makes only sense for DN style role names if (nestedRoleMatcher != null) {