Thanks for the tip! I feel like I'm pretty close, it's just finding the right ldap filter for our setup. We have a mixture of POSIX and non-POSIX groups, so I need a filter that will pull them all.
I'm using the latest version of Shield and ES 1.6. We're not using openldap, although it appears to be mostly/fully openldap compatible, and I'm unsure of what version the ldap server is running. It does not seem to permit memberUid as a query, though. For example, this query yields no results:
ldapsearch -x -H ldaps://auth.company.com:636 "(&(cn=*)(memberUid=keekz))"
This query "works" in that it lists all the groups my user belongs to, however it lists all uniqueMembers of all the groups:
ldapsearch -x -H ldaps://auth.company.com:636 "(&(cn=*)(uniqueMember=cn=keekz,ou=Users,o=company))"
(snippet of one of the group outputs from the above query)
# vpn, Groups, company dn: cn=vpn,ou=Groups,o=company objectClass: groupOfNames objectClass: Top objectClass: posixGroup uniqueMember: cn=usera,ou=Users,o=company uniqueMember: cn=userb,ou=Users,o=company uniqueMember: cn=userc,ou=Users,o=company uniqueMember: cn=userd,ou=Users,o=company uniqueMember: cn=keekz,ou=Users,o=company cn: vpn
This ldapsearch query works to pull the groups for my user:
ldapsearch -xLLL -H ldaps://auth.company.com:636/ -b "o=company" "uid=keekz" groupMembership
Output:
dn: cn=keekz,ou=Users,o=company groupMembership: cn=global,ou=Groups,o=company groupMembership: cn=analytics,ou=Groups,o=company groupMembership: cn=lnx-engineers,ou=POSIXGroups,o=company groupMembership: cn=lnx-ops,ou=POSIXGroups,o=company groupMembership: cn=vpn,ou=Groups,o=company groupMembership: cn=github,ou=Groups,o=company
(and many other groups!)
I've been stuck on converting this to something that ES is able to use... but I'm so close! =P