Ldap backend roles

Hi guys , lately i’ve bee using sg security and i configured the ldap and it works fine but my problem is the backend roles of the ldap users !! it gives own_index role to every user


how can i change the roles and is there a way to use created backend roles(prdefined or created) not the one gathered from ldap server.

thanks in advance.

Hi @HeiDri

If you use LDAP, the preferable way would be to configure user roles on the LDAP server according to your requirements. Then configure LDAP authentication and authorization in Search Guard. And Search Guard fetches the roles from the LDAP server.

Also, you can map LDAP roles to the Search Guard roles. There are three options.

The first option. You can map the LDAP users and roles to a Search Guard role. Thus you can have additional permissions or restrictions configured in the Search Guard role.

The second option. You can map the LDAP roles to Search Guard roles directly without roles mapping First, setup the BACKENDROLES_ONLY mode for the roles mapping:

elasticsearch.yml

searchguard.roles_mapping_resolution: BACKENDROLES_ONLY

Second, configure the Search Guard role:

sg_roles.yml

ldap_finance:
  cluster_permissions:
    - CLUSTER_COMPOSITE_OPS_RO
  index_permissions:
    ...

The name of the role must be equal to the name of the LDAP role.

The third option. It is a mix of the two previous options. First, setup the BOTH mode for the roles mapping:

elasticsearch.yml

searchguard.roles_mapping_resolution: BOTH

Then you need to configure a Search Guard role with a name that equals an LDAP role name. And you configure another Search Guard role, for example, you can set the final permissions there.

Lastly, you configure the roles mapping where you map the two roles you created:

sg_roles_mapping.yml

sg_finance:
  backend_roles:
    - ldap_finance

1 Like

hi @srgbnd , thank you for your reply , i was wondering how can i get the LDAP role name of the user , because i’m working on a distant ldap server which i’m not administrating , so any advice on how can i get ldap role name so i can create search guard role with th same name .

thanks in advance.

how can i get the LDAP role name of the user

I see a couple of options:

  1. Search for the user using ldapsearch, for example
ldapsearch --port 1389 --baseDN dc=example,dc=com  "(cn=Frank Albers)" 
  1. Ask the LDAP administrator if you don’t have access to the LDAP.