Using Multiple LDAP Rolebases

#1

I have a quick question regarding using multiple LDAP rolebases.

In the documentation, it indicates that:

Since Search Guard v24 you can alternatively configure multiple role bases (this combines and replaces the rolesearch and rolebase attribute).

It goes on to give an example, using two roles, labelled:

roles:
  normalroles:
    base: 'ou=groups,dc=example,dc=com'
    search: '(uniqueMember={0})'
  other:
    base: 'ou=othergroups,dc=example,dc=com'
    search: '(owner={0})'

My question is: Is this limited to only the use of two rolebases? I.e., are the normalroles and other values hardcoded, or can others be added, as in:

roles:
  primary-rolebase:
    ...
    
  secondary-rolebase:
    ...
    
  tertiary-rolebase:
    ...
#2

You can add in as many as you want :slight_smile: But keep in mind that adding a lot of user- and role-bases might affect the overall performance of the LDAP authentication. We leverage caching, so the performance impact should not be huge, just a thing to keep in mind.

assigned jkressin #3
#4

So in other words, the, the names for the rolebase categories (normalroles v. other) can be chosen arbitrarily.

Thanks.

#5

Yes, you can choose the names freely. Will make that more obvious in the documentation.