Use group cn in LDAP role mapping


#1

I can use group dn in ldap role mapping but I would like to use group cn instead from maintainability perspective. In my LDAP setup group dn contain unique id while group cn is human oriented name.

I have following LDAP setup:

Users (o=users,dc=example,dc=com)
- user 1
    dn: guid=u111,o=users,dc=example,dc=com
    cn: user1
- user 2
    dn: guid=u222,o=users,dc=example,dc=com
    cn: user2  

Groups (o=groups,dc=example,dc=com)
- admin group
    dn: guid=g111,o=groups,dc=example,dc=com
    cn: admin
    uniqueMember: guid=u111,o=users,dc=example,dc=com
    uniqueMember: guid=u222,o=users,dc=example,dc=com
    uniqueMember: guid=u333,o=users,dc=example,dc=com

- readonly group
    dn: guid=g222,o=groups,dc=example,dc=com
    cn: readonly
    uniqueMember: guid=u444,o=users,dc=example,dc=com

X-Pack settings:

xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: ...
          bind_dn: ...
          bind_password: ...
          user_search:
            base_dn: "o=users,dc=example,dc=com"
            attribute: cn
          group_search:
            base_dn: "o=groups,dc=example,dc=com"
            filter: "uniqueMember={0}"
          files:
            role_mapping: "role_mapping.yml"
          unmapped_groups_as_roles: false

Role mapping settings:

admin: 
  - "guid=g111,o=groups,dc=example,dc=com"

The above config works but i would like use group name (cn), sth like:

  - "cn=admin,o=groups,dc=example,dc=com"

Is it possible? With such LDAP setup I can use group cn e.g. in Splunk or Spring Ldap Security.


(Tim Vernum) #2

No, it is not possible. Group role mapping can only use the Distinguished Name.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.