Is it possible to use an LDAP operational attribute for backend role discovery?

I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”

does not return isMemberOf, but

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf

returns a list of groups ‘someuser’ is a member of.

Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?

Here’s the relevant config snippet:

authz:

  roles_from_myldap:

    enabled: true

    authorization_backend:

      type: "ldap"

      config:

        enable_ssl: true

        enable_start_tls: false

        enable_ssl_client_auth: false

        verify_hostnames: false

        hosts:

        - "XXX.XXX.com"

        bind_dn: null

        password: null

        rolebase: "o=XXX.com,o=email"

        rolesearch: "(uid={1})"

        userroleattribute: "isMemberOf"

        userrolename: "isMemberOf"

        rolename: "dn"

        resolve_nested_roles: false

        userbase: "ou=People,o=XXX.com,o=email"

        usersearch: "(uid={0})"

Can you check this snapshot? I enabled all operational atrributes.

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar

···

Am 27.10.2017 um 22:45 schrieb Michael Evans <mike_e@rtzassociates.com>:

I'm using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)"

does not return isMemberOf, but

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)" isMemberOf

returns a list of groups 'someuser' is a member of.

Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?

Here's the relevant config snippet:

    authz:
      roles_from_myldap:
        enabled: true
        authorization_backend:
          type: "ldap"
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
            - "XXX.XXX.com"
            bind_dn: null
            password: null
            rolebase: "o=XXX.com,o=email"
            rolesearch: "(uid={1})"
            userroleattribute: "isMemberOf"
            userrolename: "isMemberOf"
            rolename: "dn"
            resolve_nested_roles: false
            userbase: "ou=People,o=XXX.com,o=email"
            usersearch: "(uid={0})"

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Didn’t work.

I tried the same thing from the command line and for some reason our server returns just the DN:

$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” “*, +”

dn: uid=someuser,ou=People , o=XXX.com , o=email

···

On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:

Can you check this snapshot? I enabled all operational atrributes.

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar

Am 27.10.2017 um 22:45 schrieb Michael Evans mik...@rtzassociates.com:

I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”

does not return isMemberOf, but

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf

returns a list of groups ‘someuser’ is a member of.

Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?

Here’s the relevant config snippet:

authz:
  roles_from_myldap:
    enabled: true
    authorization_backend:
      type: "ldap"
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
        - "[XXX.XXX.com](http://XXX.XXX.com)"
        bind_dn: null
        password: null
        rolebase: "o=XXX.com,o=email"
        rolesearch: "(uid={1})"
        userroleattribute: "isMemberOf"
        userrolename: "isMemberOf"
        rolename: "dn"
        resolve_nested_roles: false
        userbase: "ou=People,o=XXX.com,o=email"
        usersearch: "(uid={0})"


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

What is the productname, vendor and version of your ldap server?

···

Am 03.11.2017 um 18:30 schrieb Michael Evans <mike_e@rtzassociates.com>:

Didn't work.

I tried the same thing from the command line and for some reason our server returns just the DN:

$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)" "*, +"
dn: uid=someuser,ou=People , o=XXX.com , o=email

On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:
Can you check this snapshot? I enabled all operational atrributes.

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar

> Am 27.10.2017 um 22:45 schrieb Michael Evans <mik...@rtzassociates.com>:
>
> I'm using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:
>
> ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)"
>
> does not return isMemberOf, but
>
> ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)" isMemberOf
>
> returns a list of groups 'someuser' is a member of.
>
> Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?
>
> Here's the relevant config snippet:
>
> authz:
> roles_from_myldap:
> enabled: true
> authorization_backend:
> type: "ldap"
> config:
> enable_ssl: true
> enable_start_tls: false
> enable_ssl_client_auth: false
> verify_hostnames: false
> hosts:
> - "XXX.XXX.com"
> bind_dn: null
> password: null
> rolebase: "o=XXX.com,o=email"
> rolesearch: "(uid={1})"
> userroleattribute: "isMemberOf"
> userrolename: "isMemberOf"
> rolename: "dn"
> resolve_nested_roles: false
> userbase: "ou=People,o=XXX.com,o=email"
> usersearch: "(uid={0})"
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e087184-3e5b-4edb-9084-b7f6cdde9570%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I don’t have admin access to the server. This is was I get from ldapsearch -x -H “ldaps://XXX.XXX.com” -s base -b “” “objectclass=*” vendorname vendorversion *

dn:

vendorname: Oracle Corporation

vendorversion: Sun-Directory-Server/11.1.1.7.3

···

On Friday, November 3, 2017 at 12:42:45 PM UTC-7, Search Guard wrote:

What is the productname, vendor and version of your ldap server?

Am 03.11.2017 um 18:30 schrieb Michael Evans mik...@rtzassociates.com:

Didn’t work.

I tried the same thing from the command line and for some reason our server returns just the DN:

$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” “*, +”

dn: uid=someuser,ou=People , o=XXX.com , o=email

On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:

Can you check this snapshot? I enabled all operational atrributes.

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar

Am 27.10.2017 um 22:45 schrieb Michael Evans mik...@rtzassociates.com:

I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”

does not return isMemberOf, but

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf

returns a list of groups ‘someuser’ is a member of.

Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?

Here’s the relevant config snippet:

authz:
  roles_from_myldap:
    enabled: true
    authorization_backend:
      type: "ldap"
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
        - "[XXX.XXX.com](http://XXX.XXX.com)"
        bind_dn: null
        password: null
        rolebase: "o=XXX.com,o=email"
        rolesearch: "(uid={1})"
        userroleattribute: "isMemberOf"
        userrolename: "isMemberOf"
        rolename: "dn"
        resolve_nested_roles: false
        userbase: "ou=People,o=XXX.com,o=email"
        usersearch: "(uid={0})"


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e087184-3e5b-4edb-9084-b7f6cdde9570%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

tracked here https://github.com/floragunncom/search-guard-authbackend-ldap/issues/7
will go into this soon, pls stay tunded

···

On Friday, 10 November 2017 23:15:45 UTC+1, Michael Evans wrote:

I don’t have admin access to the server. This is was I get from ldapsearch -x -H “ldaps://XXX.XXX.com” -s base -b “” “objectclass=*” vendorname vendorversion *

dn:

vendorname: Oracle Corporation

vendorversion: Sun-Directory-Server/11.1.1.7.3

On Friday, November 3, 2017 at 12:42:45 PM UTC-7, Search Guard wrote:

What is the productname, vendor and version of your ldap server?

Am 03.11.2017 um 18:30 schrieb Michael Evans mik...@rtzassociates.com:

Didn’t work.

I tried the same thing from the command line and for some reason our server returns just the DN:

$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” “*, +”

dn: uid=someuser,ou=People , o=XXX.com , o=email

On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:

Can you check this snapshot? I enabled all operational atrributes.

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar

Am 27.10.2017 um 22:45 schrieb Michael Evans mik...@rtzassociates.com:

I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”

does not return isMemberOf, but

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf

returns a list of groups ‘someuser’ is a member of.

Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?

Here’s the relevant config snippet:

authz:
  roles_from_myldap:
    enabled: true
    authorization_backend:
      type: "ldap"
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
        - "[XXX.XXX.com](http://XXX.XXX.com)"
        bind_dn: null
        password: null
        rolebase: "o=XXX.com,o=email"
        rolesearch: "(uid={1})"
        userroleattribute: "isMemberOf"
        userrolename: "isMemberOf"
        rolename: "dn"
        resolve_nested_roles: false
        userbase: "ou=People,o=XXX.com,o=email"
        usersearch: "(uid={0})"


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e087184-3e5b-4edb-9084-b7f6cdde9570%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

we have something now and need help to test it. Anyone interested helping us to test operational attributes?

···

On Monday, 4 December 2017 20:52:17 UTC+1, Search Guard wrote:

tracked here https://github.com/floragunncom/search-guard-authbackend-ldap/issues/7
will go into this soon, pls stay tunded

On Friday, 10 November 2017 23:15:45 UTC+1, Michael Evans wrote:

I don’t have admin access to the server. This is was I get from ldapsearch -x -H “ldaps://XXX.XXX.com” -s base -b “” “objectclass=*” vendorname vendorversion *

dn:

vendorname: Oracle Corporation

vendorversion: Sun-Directory-Server/11.1.1.7.3

On Friday, November 3, 2017 at 12:42:45 PM UTC-7, Search Guard wrote:

What is the productname, vendor and version of your ldap server?

Am 03.11.2017 um 18:30 schrieb Michael Evans mik...@rtzassociates.com:

Didn’t work.

I tried the same thing from the command line and for some reason our server returns just the DN:

$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” “*, +”

dn: uid=someuser,ou=People , o=XXX.com , o=email

On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:

Can you check this snapshot? I enabled all operational atrributes.

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar

Am 27.10.2017 um 22:45 schrieb Michael Evans mik...@rtzassociates.com:

I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”

does not return isMemberOf, but

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf

returns a list of groups ‘someuser’ is a member of.

Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?

Here’s the relevant config snippet:

authz:
  roles_from_myldap:
    enabled: true
    authorization_backend:
      type: "ldap"
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: false
        hosts:
        - "[XXX.XXX.com](http://XXX.XXX.com)"
        bind_dn: null
        password: null
        rolebase: "o=XXX.com,o=email"
        rolesearch: "(uid={1})"
        userroleattribute: "isMemberOf"
        userrolename: "isMemberOf"
        rolename: "dn"
        resolve_nested_roles: false
        userbase: "ou=People,o=XXX.com,o=email"
        usersearch: "(uid={0})"


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e087184-3e5b-4edb-9084-b7f6cdde9570%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.