I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”
does not return isMemberOf, but
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf
returns a list of groups ‘someuser’ is a member of.
Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?
Here’s the relevant config snippet:
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- "XXX.XXX.com"
bind_dn: null
password: null
rolebase: "o=XXX.com,o=email"
rolesearch: "(uid={1})"
userroleattribute: "isMemberOf"
userrolename: "isMemberOf"
rolename: "dn"
resolve_nested_roles: false
userbase: "ou=People,o=XXX.com,o=email"
usersearch: "(uid={0})"
Can you check this snapshot? I enabled all operational atrributes.
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar
···
Am 27.10.2017 um 22:45 schrieb Michael Evans <mike_e@rtzassociates.com>:
I'm using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)"
does not return isMemberOf, but
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)" isMemberOf
returns a list of groups 'someuser' is a member of.
Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?
Here's the relevant config snippet:
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- "XXX.XXX.com"
bind_dn: null
password: null
rolebase: "o=XXX.com,o=email"
rolesearch: "(uid={1})"
userroleattribute: "isMemberOf"
userrolename: "isMemberOf"
rolename: "dn"
resolve_nested_roles: false
userbase: "ou=People,o=XXX.com,o=email"
usersearch: "(uid={0})"
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
Didn’t work.
I tried the same thing from the command line and for some reason our server returns just the DN:
$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” “*, +”
dn: uid=someuser,ou=People , o=XXX.com , o=email
···
On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:
Can you check this snapshot? I enabled all operational atrributes.
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar
Am 27.10.2017 um 22:45 schrieb Michael Evans mik...@rtzassociates.com:
I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”
does not return isMemberOf, but
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf
returns a list of groups ‘someuser’ is a member of.
Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?
Here’s the relevant config snippet:
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- "[XXX.XXX.com](http://XXX.XXX.com)"
bind_dn: null
password: null
rolebase: "o=XXX.com,o=email"
rolesearch: "(uid={1})"
userroleattribute: "isMemberOf"
userrolename: "isMemberOf"
rolename: "dn"
resolve_nested_roles: false
userbase: "ou=People,o=XXX.com,o=email"
usersearch: "(uid={0})"
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
What is the productname, vendor and version of your ldap server?
···
Am 03.11.2017 um 18:30 schrieb Michael Evans <mike_e@rtzassociates.com>:
Didn't work.
I tried the same thing from the command line and for some reason our server returns just the DN:
$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)" "*, +"
dn: uid=someuser,ou=People , o=XXX.com , o=email
On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:
Can you check this snapshot? I enabled all operational atrributes.
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar
> Am 27.10.2017 um 22:45 schrieb Michael Evans <mik...@rtzassociates.com>:
>
> I'm using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:
>
> ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)"
>
> does not return isMemberOf, but
>
> ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)" isMemberOf
>
> returns a list of groups 'someuser' is a member of.
>
> Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?
>
> Here's the relevant config snippet:
>
> authz:
> roles_from_myldap:
> enabled: true
> authorization_backend:
> type: "ldap"
> config:
> enable_ssl: true
> enable_start_tls: false
> enable_ssl_client_auth: false
> verify_hostnames: false
> hosts:
> - "XXX.XXX.com"
> bind_dn: null
> password: null
> rolebase: "o=XXX.com,o=email"
> rolesearch: "(uid={1})"
> userroleattribute: "isMemberOf"
> userrolename: "isMemberOf"
> rolename: "dn"
> resolve_nested_roles: false
> userbase: "ou=People,o=XXX.com,o=email"
> usersearch: "(uid={0})"
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e087184-3e5b-4edb-9084-b7f6cdde9570%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
I don’t have admin access to the server. This is was I get from ldapsearch -x -H “ldaps://XXX.XXX.com” -s base -b “” “objectclass=*” vendorname vendorversion *
dn:
vendorname: Oracle Corporation
vendorversion: Sun-Directory-Server/11.1.1.7.3
···
On Friday, November 3, 2017 at 12:42:45 PM UTC-7, Search Guard wrote:
What is the productname, vendor and version of your ldap server?
Am 03.11.2017 um 18:30 schrieb Michael Evans mik...@rtzassociates.com:
Didn’t work.
I tried the same thing from the command line and for some reason our server returns just the DN:
$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” “*, +”
dn: uid=someuser,ou=People , o=XXX.com , o=email
On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:
Can you check this snapshot? I enabled all operational atrributes.
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar
Am 27.10.2017 um 22:45 schrieb Michael Evans mik...@rtzassociates.com:
I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”
does not return isMemberOf, but
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf
returns a list of groups ‘someuser’ is a member of.
Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?
Here’s the relevant config snippet:
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- "[XXX.XXX.com](http://XXX.XXX.com)"
bind_dn: null
password: null
rolebase: "o=XXX.com,o=email"
rolesearch: "(uid={1})"
userroleattribute: "isMemberOf"
userrolename: "isMemberOf"
rolename: "dn"
resolve_nested_roles: false
userbase: "ou=People,o=XXX.com,o=email"
usersearch: "(uid={0})"
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e087184-3e5b-4edb-9084-b7f6cdde9570%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
tracked here Support operational attributes · Issue #7 · floragunncom/search-guard-authbackend-ldap · GitHub
will go into this soon, pls stay tunded
···
On Friday, 10 November 2017 23:15:45 UTC+1, Michael Evans wrote:
I don’t have admin access to the server. This is was I get from ldapsearch -x -H “ldaps://XXX.XXX.com” -s base -b “” “objectclass=*” vendorname vendorversion *
dn:
vendorname: Oracle Corporation
vendorversion: Sun-Directory-Server/11.1.1.7.3
On Friday, November 3, 2017 at 12:42:45 PM UTC-7, Search Guard wrote:
What is the productname, vendor and version of your ldap server?
Am 03.11.2017 um 18:30 schrieb Michael Evans mik...@rtzassociates.com:
Didn’t work.
I tried the same thing from the command line and for some reason our server returns just the DN:
$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” “*, +”
dn: uid=someuser,ou=People , o=XXX.com , o=email
On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:
Can you check this snapshot? I enabled all operational atrributes.
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar
Am 27.10.2017 um 22:45 schrieb Michael Evans mik...@rtzassociates.com:
I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”
does not return isMemberOf, but
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf
returns a list of groups ‘someuser’ is a member of.
Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?
Here’s the relevant config snippet:
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- "[XXX.XXX.com](http://XXX.XXX.com)"
bind_dn: null
password: null
rolebase: "o=XXX.com,o=email"
rolesearch: "(uid={1})"
userroleattribute: "isMemberOf"
userrolename: "isMemberOf"
rolename: "dn"
resolve_nested_roles: false
userbase: "ou=People,o=XXX.com,o=email"
usersearch: "(uid={0})"
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e087184-3e5b-4edb-9084-b7f6cdde9570%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
we have something now and need help to test it. Anyone interested helping us to test operational attributes?
···
On Monday, 4 December 2017 20:52:17 UTC+1, Search Guard wrote:
tracked here https://github.com/floragunncom/search-guard-authbackend-ldap/issues/7
will go into this soon, pls stay tunded
On Friday, 10 November 2017 23:15:45 UTC+1, Michael Evans wrote:
I don’t have admin access to the server. This is was I get from ldapsearch -x -H “ldaps://XXX.XXX.com” -s base -b “” “objectclass=*” vendorname vendorversion *
dn:
vendorname: Oracle Corporation
vendorversion: Sun-Directory-Server/11.1.1.7.3
On Friday, November 3, 2017 at 12:42:45 PM UTC-7, Search Guard wrote:
What is the productname, vendor and version of your ldap server?
Am 03.11.2017 um 18:30 schrieb Michael Evans mik...@rtzassociates.com:
Didn’t work.
I tried the same thing from the command line and for some reason our server returns just the DN:
$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” “*, +”
dn: uid=someuser,ou=People , o=XXX.com , o=email
On Saturday, October 28, 2017 at 12:34:22 PM UTC-7, Search Guard wrote:
Can you check this snapshot? I enabled all operational atrributes.
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar
Am 27.10.2017 um 22:45 schrieb Michael Evans mik...@rtzassociates.com:
I’m using Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)”
does not return isMemberOf, but
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b “o=XXX.com , o=email” “(uid=someuser)” isMemberOf
returns a list of groups ‘someuser’ is a member of.
Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?
Here’s the relevant config snippet:
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
- "[XXX.XXX.com](http://XXX.XXX.com)"
bind_dn: null
password: null
rolebase: "o=XXX.com,o=email"
rolesearch: "(uid={1})"
userroleattribute: "isMemberOf"
userrolename: "isMemberOf"
rolename: "dn"
resolve_nested_roles: false
userbase: "ou=People,o=XXX.com,o=email"
usersearch: "(uid={0})"
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e087184-3e5b-4edb-9084-b7f6cdde9570%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.