Are multiple LDAP userbases possible?

xenoid · February 27, 2019, 10:07am

ES Version: 5.6.14
Enabled Modules: dlic-search-guard-authbackend-ldap-5.0-14-jar, dlic-search-guard-auth-http-kerberos-5.0-4-jar, dlic-search-guard-module-dlsfls-5.3-10-jar
JVM version and operating system version: JRE 1.8.0_161, Debian Jessie

I connected SearchGuard to our ActiveDirectory via LDAP. I defined the OU that contains my users as userbase and everything is working. (userbase: ‘OU=Admins,OU=Users,DC=domain,DC=local’)

Now a user which is in another OU (‘OU=Janitors,OU=Users,DC=domain,DC=local’) needs access to Elasticsearch.

Is it possible to define multiple userbases?

jkressin · February 27, 2019, 5:33pm

Yes, this is possible, please have a look at the second config example from the docs:

  users:
    people:
      base: 'ou=people,dc=example,dc=com'
      search: '(uid={0})'
    other:
      base: 'ou=otherpeople,dc=example,dc=com'
      search: '(initials={0})'

``

This snippet defines two user bases and user searches. The “people” and “other” config keys are just telling names, you can choose anything here.

···

On Wednesday, February 27, 2019 at 2:07:04 AM UTC-8, xenoid wrote:

ES Version: 5.6.14

Enabled Modules: dlic-search-guard-authbackend-ldap-5.0-14-jar, dlic-search-guard-auth-http-kerberos-5.0-4-jar, dlic-search-guard-module-dlsfls-5.3-10-jar

JVM version and operating system version: JRE 1.8.0_161, Debian Jessie

I connected SearchGuard to our ActiveDirectory via LDAP. I defined the OU that contains my users as userbase and everything is working. (userbase: ‘OU=Admins,OU=Users,DC=domain,DC=local’)

Now a user which is in another OU (‘OU=Janitors,OU=Users,DC=domain,DC=local’) needs access to Elasticsearch.

Is it possible to define multiple userbases?

jkressin · March 1, 2019, 7:08am

Sorry, I did not realize at first that you are using 5.6.14. With 5.x, it is not possible to define more than one userbase for a single LDAP authentication domain. The only way to implement this in 5.x is to define two LDAP authentication domains with two different user bases. The multi-base feature is only available in SG 24.1 for 6.x.

···

On Wednesday, February 27, 2019 at 9:33:56 AM UTC-8, Jochen Kressin wrote:

Yes, this is possible, please have a look at the second config example from the docs:

https://docs.search-guard.com/latest/active-directory-ldap-authentication#complete-authentication-example

  users:
    people:
      base: 'ou=people,dc=example,dc=com'
      search: '(uid={0})'
    other:
      base: 'ou=otherpeople,dc=example,dc=com'
      search: '(initials={0})'

``

This snippet defines two user bases and user searches. The “people” and “other” config keys are just telling names, you can choose anything here.

On Wednesday, February 27, 2019 at 2:07:04 AM UTC-8, xenoid wrote:

ES Version: 5.6.14

Enabled Modules: dlic-search-guard-authbackend-ldap-5.0-14-jar, dlic-search-guard-auth-http-kerberos-5.0-4-jar, dlic-search-guard-module-dlsfls-5.3-10-jar

JVM version and operating system version: JRE 1.8.0_161, Debian Jessie

I connected SearchGuard to our ActiveDirectory via LDAP. I defined the OU that contains my users as userbase and everything is working. (userbase: ‘OU=Admins,OU=Users,DC=domain,DC=local’)

Now a user which is in another OU (‘OU=Janitors,OU=Users,DC=domain,DC=local’) needs access to Elasticsearch.

Is it possible to define multiple userbases?

ThibaudF · May 3, 2019, 7:36am

Hello jkressin !
Do you have any documentation, any examples on how to implement multiple LDAP authentication domains, different bind_dn/passwords ?

Thank you !
Thi

hsaly · May 3, 2019, 9:22am

This is pretty straightforward:

authc: #authentication with multiple ldaps
  auth_first_ldap:
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: ldap
      config:
        ...
        bind_dn: binddn1
        ...
  auth_second_ldap:
    http_enabled: true
    transport_enabled: true
    order: 2
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: ldap
      config:
        ...
        bind_dn: binddn2
        ... 
authz: #authorization with multiple ldaps
  roles_from_first_ldap:
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap 
      config:
        .....
        bind_dn: binddn1
        .....
  roles_from_second_ldap:
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap 
      config:
        .....
        bind_dn: binddn2
        .....
  roles_from_third_ldap:
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap 
      config:
        .....
        bind_dn: binddn3
        .....

ThibaudF · May 3, 2019, 9:50am

Thank you so much for the fast reply.
Didn’t find this on the documentation.
Tested and works perfectly!

Have a good day !
Thi

Topic		Replies	Views
Using Multiple LDAP Rolebases Search Guard	5	698	June 6, 2019
Unable to map ldap users to search guard roles. Search Guard	0	337	February 16, 2018
How to See Active Directory USer in SearchGuard Search Guard	3	418	July 14, 2017
LDAP issues Search Guard	0	334	July 15, 2015
How to authorize a user using ldap groups dinamically Search Guard	3	499	March 20, 2019

Are multiple LDAP userbases possible?

Related Topics