How to support hierarchical ldap groups

Hi!

We are trying to configure our elastic cluster (6.6 with searchguard 6.6 installed) with our organization’s ldap server.
Each document in our cluster contains a field called “authorized”: a list with user/group names authorized to view the document.

Is it possible to create rules based on our ldap, so that each query will take into account the the clients user and check if it is contained in the authorized list? (contained means that it can appear there explicitly or that he is a member of group there).

Thanks!!

Yes, this is possible by leveraging Document Level Security (DLS) together with user attributes and variable substitution (\{user\.name\} and {user.roles}):

···

Am 17.03.2019 um 17:38 schrieb vostrodello15@gmail.com:

Hi!

We are trying to configure our elastic cluster (6.6 with searchguard 6.6 installed) with our organization's ldap server.
Each document in our cluster contains a field called "authorized": a list with user/group names authorized to view the document.

Is it possible to create rules based on our ldap, so that each query will take into account the the clients user and check if it is contained in the authorized list? (contained means that it can appear there explicitly or that he is a member of group there).

Thanks!!

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2e91812a-ad79-4d34-bdf6-a6c00f753e7d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I tried to use dls queries and could not configure them the right way.

For example if I have in my ldap a group named ‘my_group’ which contains the user ‘me’ in it,

and I have the doc:

{
authorized: [‘my_group’]

}

``

How would my dls and roles look like, so when ‘me’ will be able to get this document in a query? (but members who are not in ‘my_group’ won’t)

בתאריך יום ראשון, 17 במרץ 2019 בשעה 19:01:06 UTC+2, מאת Search Guard:

···

Yes, this is possible by leveraging Document Level Security (DLS) together with user attributes and variable substitution ({[user.name](http://user.name)} and {user.roles}):

https://docs.search-guard.com/latest/document-level-security#dynamic-queries-variable-substitution

Am 17.03.2019 um 17:38 schrieb vostro...@gmail.com:

Hi!

We are trying to configure our elastic cluster (6.6 with searchguard 6.6 installed) with our organization’s ldap server.

Each document in our cluster contains a field called “authorized”: a list with user/group names authorized to view the document.

Is it possible to create rules based on our ldap, so that each query will take into account the the clients user and check if it is contained in the authorized list? (contained means that it can appear there explicitly or that he is a member of group there).

Thanks!!


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2e91812a-ad79-4d34-bdf6-a6c00f753e7d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

What exactly did you tried so far?

···

On Sunday, 17 March 2019 19:26:56 UTC+1, vostrodello15@gmail.com wrote:

I tried to use dls queries and could not configure them the right way.

For example if I have in my ldap a group named ‘my_group’ which contains the user ‘me’ in it,

and I have the doc:

{
authorized: [‘my_group’]

}

``

How would my dls and roles look like, so when ‘me’ will be able to get this document in a query? (but members who are not in ‘my_group’ won’t)

בתאריך יום ראשון, 17 במרץ 2019 בשעה 19:01:06 UTC+2, מאת Search Guard:

Yes, this is possible by leveraging Document Level Security (DLS) together with user attributes and variable substitution ({[user.name](http://user.name)} and {user.roles}):

https://docs.search-guard.com/latest/document-level-security#dynamic-queries-variable-substitution

Am 17.03.2019 um 17:38 schrieb vostro...@gmail.com:

Hi!

We are trying to configure our elastic cluster (6.6 with searchguard 6.6 installed) with our organization’s ldap server.

Each document in our cluster contains a field called “authorized”: a list with user/group names authorized to view the document.

Is it possible to create rules based on our ldap, so that each query will take into account the the clients user and check if it is contained in the authorized list? (contained means that it can appear there explicitly or that he is a member of group there).

Thanks!!


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2e91812a-ad79-4d34-bdf6-a6c00f753e7d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.