Ldap Authentication not working for multiple groups

rohit02bits · July 23, 2018, 8:14am

I am using the following property
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 1
url: "ldaps://abc.example.com:1111"
ssl.verification_mode: none
user_dn_templates:
- "CN={0}, OU=xx, DC=xx, DC=xx, DC=xx"
group_search.base_dn: "CN=group1,DC=xx, DC=xx, DC=xx"
files:
role_mapping: "config/role_mapping.yml"
#unmapped_groups_as_roles: false
ldap2:
type: ldap
order: 0
url: "ldaps://abc.example.com:1111"
ssl.verification_mode: none
user_dn_templates:
- "CN={0}, OU=xx, DC=xx, DC=xx, DC=xx"
group_search.base_dn: "CN=group2,DC=xx, DC=xx, DC=xx"
files:
role_mapping: "config/role_mapping.yml"
unmapped_groups_as_roles: false

The user gets validated only by the group which is set as order 0. If the user belongs to order 1 then the authentication goes through but the user role is not getting assigned

TimV · July 23, 2018, 8:41am

Can you please format your config as a code block (the </> button, or surround the block with "```")

Yaml is whitespace sensitive, so it's impossible for us to reliably validate your configuration if the spacing has been stripped.

TimV · July 23, 2018, 8:47am

The behaviour you are seeing is totally expected.

The realms are tried in order, and authentication is complete when one realm succeeds.
From the docs

During the authentication process, X-Pack security will consult and try to authenticate the request one realm at a time. Once one of the realms successfully authenticates the request, the authentication is considered to be successful and the authenticated user will be associated with the request (which will then proceed to the authorization phase). If a realm cannot authenticate the request, the next in line realm in the chain will be consulted.

Since your 2 realms are using the same authentication source (same LDAP server, with the same DN templates), it is not possible for one of them to fail and the other succeed.

It seems like you are simply trying to match multiple groups, but you do not do that by having multiple realms, you simply need to configure a single realm, to retrieve all groups for the user.

You probably want to do something like:

    group_search.base_dn: "DC=xx, DC=xx, DC=xx"

rohit02bits · July 24, 2018, 4:19am

Thanks for the update, it worked. That was a silly mistake

system · August 21, 2018, 4:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.