Using Multiple LDAP Rolebases

Doug_Renze · May 15, 2019, 4:36pm

I have a quick question regarding using multiple LDAP rolebases.

In the documentation, it indicates that:

Since Search Guard v24 you can alternatively configure multiple role bases (this combines and replaces the rolesearch and rolebase attribute).

It goes on to give an example, using two roles, labelled:

roles:
  normalroles:
    base: 'ou=groups,dc=example,dc=com'
    search: '(uniqueMember={0})'
  other:
    base: 'ou=othergroups,dc=example,dc=com'
    search: '(owner={0})'

My question is: Is this limited to only the use of two rolebases? I.e., are the normalroles and other values hardcoded, or can others be added, as in:

roles:
  primary-rolebase:
    ...
    
  secondary-rolebase:
    ...
    
  tertiary-rolebase:
    ...

jkressin · May 15, 2019, 4:56pm

You can add in as many as you want But keep in mind that adding a lot of user- and role-bases might affect the overall performance of the LDAP authentication. We leverage caching, so the performance impact should not be huge, just a thing to keep in mind.

Doug_Renze · May 16, 2019, 5:51pm

So in other words, the, the names for the rolebase categories (normalroles v. other) can be chosen arbitrarily.

Thanks.

jkressin · May 16, 2019, 6:34pm

Yes, you can choose the names freely. Will make that more obvious in the documentation.

system · June 6, 2019, 6:34pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Are multiple LDAP userbases possible? Search Guard	5	1226	May 3, 2019
Ldap backend roles Search Guard	4	698	July 6, 2020
Ldap Authorization failure Search Guard	8	331	July 17, 2017
LDAP Roles not mapping correctly Search Guard	2	574	September 27, 2016
LDAP Referrals Breaks Searchguard Search Guard	1	358	March 26, 2016

Using Multiple LDAP Rolebases

Related Topics