I’m fighting with additional user informations using Active Directory and recursive resolution.
The ES version is 7.17.12 and SG is 1.3.0
The only setup that I found to work is:
additional_user_information:
- type: "ldap"
ldap:
idp:
tls:
trust_all: false
enabled_protocols:
- "TLSv1.2"
- "TLSv1.3"
hosts:
- "ldaps://XXXX:636"
bind_dn: "XXXX
password: "XXXX"
user_search:
filter:
by_attribute: "sAMAccountName"
base_dn: "XXXX"
group_search:
recursive:
enabled: true
base_dn: "XXX"
role_name_attribute: "dn"
user_mapping:
user_name:
from: "$.request.headers[\"CAS_sAMAccountName\"]"
roles:
from: "ldap_group_entries[*].distinguishedName"
Absolutely everything else fails, all elements are mandatory.
The first surprise is a huge size of the data returned. For my account, using the debug URL, the returned file size is 21M in size. Why ? Because we use groups a lot, and for each recursive role, the whole member list (the field member
) is returned. They must a way to restrict returned elements.
Next the roles user mappings works in a strange way. The field role_name_attribute: "dn"
is used to resolve first level groups. And then the user_mapping.roles.from
field must be defined to extract the role name from the recursive group. Why 2 fields to extract the same information ? That’s inconsistent.