I’m fighting with additional user informations using Active Directory and recursive resolution.
The ES version is 7.17.12 and SG is 1.3.0
The only setup that I found to work is:
additional_user_information: - type: "ldap" ldap: idp: tls: trust_all: false enabled_protocols: - "TLSv1.2" - "TLSv1.3" hosts: - "ldaps://XXXX:636" bind_dn: "XXXX password: "XXXX" user_search: filter: by_attribute: "sAMAccountName" base_dn: "XXXX" group_search: recursive: enabled: true base_dn: "XXX" role_name_attribute: "dn" user_mapping: user_name: from: "$.request.headers[\"CAS_sAMAccountName\"]" roles: from: "ldap_group_entries[*].distinguishedName"
Absolutely everything else fails, all elements are mandatory.
The first surprise is a huge size of the data returned. For my account, using the debug URL, the returned file size is 21M in size. Why ? Because we use groups a lot, and for each recursive role, the whole member list (the field
member) is returned. They must a way to restrict returned elements.
Next the roles user mappings works in a strange way. The field
role_name_attribute: "dn" is used to resolve first level groups. And then the
user_mapping.roles.from field must be defined to extract the role name from the recursive group. Why 2 fields to extract the same information ? That’s inconsistent.