Hi,
In the LDAP realm is there an equivalent version of user_dn_templates that works for group search? (other than group_search)
From https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-ldap-realm.html
Cheers
No, not really. user_dn_templates is useful as there is a very common case where all users are under the same OrganizationalUnit in LDAP and as such their DN has a very predictable and static relation to the uid they are used to enter in the login forms. This is not the case for groups.
Maybe if you explain what you want to achieve, we could offer some possible solutions.
1 Like
Thanks for the speedy reply,
Like with users all of our groups lie under the same Organization unit, so I was hoping by having a more specific search in the yml we could avoid having to define the whole group path when creating role mappings and just give the group name, much like we do with users.
I see. So this is not about group search per se, but more about group name resolution when it comes to role mapping.
If I get this right, you have
cn=group1,ou=groups,dc=company,dc=com
cn=group2,ou=groups,dc=company,dc=com
...
cn=group100,ou=groups,dc=company,dc=com
and you would like to set role mappings like
POST /_xpack/security/role_mapping/mapping1
{
"roles": [ "user"],
"enabled": true,
"rules": {
"field" : { "groups" : "group1" }
},
"metadata" : {
"version" : 1
}
}
or file based like
admin:
- "group100"
instead of
POST /_xpack/security/role_mapping/mapping1
{
"roles": [ "user"],
"enabled": true,
"rules": {
"field" : { "groups" : "group1,ou=groups,dc=company,dc=com" }
},
"metadata" : {
"version" : 1
}
}
or
admin:
- "group100,ou=groups,dc=company,dc=com"
There is unfortunately no setting/option that can help you with this at this time.
Yeah this is exactly what I was thinking. No worries, thanks for the clarification 
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.