Attributes From LDAP Authorization

Hello everybody,

the current situation is this: we have insatllarto OpenDistro 1.4.0 both the part of ElasticSearch and Kibana. We have correctly set the authentication with Keycloak which is done correctly and we receive all the data we need in JWT.

Some data, however, we have recorded them on LDAP and to do so we have inserted in AUTHZ the part related to LDAP since the guide specifies that:

By default, the Security plugin reads all LDAP user attributes and makes them available for index name variable substitution and DLS query variable substitution. If your LDAP entries have a lot of attributes, you might want to control which attributes should be made available. The fewer the attributes, the better the performance.

The problem is that the role fields arrive correctly, but not the attributes. If I map the attributes on the roles I can see them correctly but I can’t see the various attr.ldap if we call for example on the KIBANA console:

GET _opendistro/_security/api/account

Do you have any idea why the attributes aren’t coming in when LDAP is being authorized?

The current configuration is as follows:

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      openid_auth_domain:
        description: "Authenticate via Keycloak"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "openid"
          challenge: false
        config:
          subject_key: "preferred_username"
          roles_key: "roles"
          openid_connect_url: "keycloakUrl"
        authentication_backend:
          type: "noop"
    authz:
      organizationsFromldap:
        description: "Authorize via LDAP or Active Directory"
          http_enabled: true
          transport_enabled: true
          authorization_backend:
            type: "ldap"
            config:
              enable_ssl: false
              enable_start_tls: false
              enable_ssl_client_auth: false
              verify_hostnames: true
              hosts:
              -  "192.168.0.77:389"
              bind_dn: "cn=admin,dc=foo,dc=example,dc=org"
              password: "password"
              rolesearch_enabled: false
              userbase: "dc=foo,dc=example,dc=org"
             usersearch: "(cn={0})"
             username_attribute: "cn"
             custom_attr_whitelist:
             - "ou"
             - "uid"
            skip_users:
            - "kibanaserver"

Even removing or putting

custom_attr_whitelist:

nothing changes