Use group cn in LDAP role mapping

I can use group dn in ldap role mapping but I would like to use group cn instead from maintainability perspective. In my LDAP setup group dn contain unique id while group cn is human oriented name.

I have following LDAP setup:

Users (o=users,dc=example,dc=com)
- user 1
    dn: guid=u111,o=users,dc=example,dc=com
    cn: user1
- user 2
    dn: guid=u222,o=users,dc=example,dc=com
    cn: user2  

Groups (o=groups,dc=example,dc=com)
- admin group
    dn: guid=g111,o=groups,dc=example,dc=com
    cn: admin
    uniqueMember: guid=u111,o=users,dc=example,dc=com
    uniqueMember: guid=u222,o=users,dc=example,dc=com
    uniqueMember: guid=u333,o=users,dc=example,dc=com

- readonly group
    dn: guid=g222,o=groups,dc=example,dc=com
    cn: readonly
    uniqueMember: guid=u444,o=users,dc=example,dc=com

X-Pack settings:

xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: ...
          bind_dn: ...
          bind_password: ...
          user_search:
            base_dn: "o=users,dc=example,dc=com"
            attribute: cn
          group_search:
            base_dn: "o=groups,dc=example,dc=com"
            filter: "uniqueMember={0}"
          files:
            role_mapping: "role_mapping.yml"
          unmapped_groups_as_roles: false

Role mapping settings:

admin: 
  - "guid=g111,o=groups,dc=example,dc=com"

The above config works but i would like use group name (cn), sth like:

  - "cn=admin,o=groups,dc=example,dc=com"

Is it possible? With such LDAP setup I can use group cn e.g. in Splunk or Spring Ldap Security.

No, it is not possible. Group role mapping can only use the Distinguished Name.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.