Hi everyone,
I’m currently setting up Search Guard for a small cluster (3-node Elasticsearch 8.11.1) and integrating it with our corporate Active Directory for authentication and authorization. So far, basic LDAP integration is working well—I can authenticate users and assign static roles via the sg_roles_mapping.yml file.
However, we’re trying to scale this by leveraging nested groups within Active Directory to manage permissions more cleanly. The idea is to avoid listing every user individually in the mapping file and instead assign roles based on group membership (e.g., “SG_READ_ONLY” role tied to the “Analytics_ReadOnly” group, which itself contains other AD groups as members).
My question is: does Search Guard support nested group resolution out-of-the-box, or do I need to configure something specific in the authc or authz modules to make this work reliably?
Some details:
- Using ldap authc and ldap authz backend.
- Nested groups are used extensively in our AD structure.
- I have group_search defined in sg_config, and I’ve tried setting resolve_nested_groups: true (but not sure if it applies in this context).
- Search Guard version is 53.6.0, if that matters.
Would appreciate any insights or examples from those who have handled a similar setup, especially in contexts like rpa training in chennai. If there’s a preferred way to debug group resolution (e.g., logs, curl queries to verify what groups are being picked up), that would also be helpful.
Thanks in advance!