Working ldap authz configuration for FreeIPA?

Hi all,

I have got the authc part of the security plugin working with our ldaps server that is part of a FreeIPA installation. For the life-of-me I can’t get the authz part to return any roles from the back end, even though manually running the queries via ldapsearch seems to work.

From tcpdump it looks like no data is returned for the query to elasticsearch. I have tried it over ldap, not ldaps, too for tcpdump to see if there are any useful errors in the tcp payload but not much other than the query being sent and then some limited binary data being returned.

Any help appreciated.

authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: false
    authorization_backend:
      # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
      type: ldap
      config:
        # enable ldaps
        enable_ssl: true
        # enable start tls, enable_ssl should be false
        enable_start_tls: false
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: true
        hosts:
          - auth.abc.co.za:636
        bind_dn: null
        password: null
        #rolesearch_enabled: false
        rolebase: 'cn=groups,cn=accounts,dc=abc,dc=co,dc=za'
        # Filter to search for roles (currently in the whole subtree beneath rolebase)
        # {0} is substituted with the DN of the user
        # {1} is substituted with the username
        # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
        rolesearch: '(member={0})'
        # Specify the name of the attribute which value should be substituted with {2} above
        userroleattribute: null
        # Roles as an attribute of the user entry
        userrolename:  memberOf
        #userrolename: memberOf
        # The attribute in a role entry containing the name of that role, Default is "name".
        # Can also be "dn" to use the full DN as rolename.
        rolename: cn
        # Resolve nested roles transitive (roles which are members of other roles and so on ...)
        resolve_nested_roles: false
        userbase: 'cn=users,cn=accounts,dc=abc,dc=co,dc=za'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(uid={0})'
        username_attribute: uid

There is a configuration summary at the end of this page, that you might find it helpful Active Directory and LDAP - Open Distro for Elasticsearch Documentation . One thing that you might be missing is that authz does not create Open Distro roles, it only maps LDAP groups (backend roles) to roles (a.k.a. security roles) that existing Open Distro.

@mxc have you verified if the second call to ldap returns the expected value with ldapsearch.
First call looks something like this:
ldapsearch -H ldap://<ldap_server> -D -W -b “cn=Users,dc=local,dc=local” “(sAMAccountName=)”
I would imagine this is the one that works.
The second call to get the groups is:
ldapsearch -H ldap://<ldap_server> -D -W -b “ou=GroupsNew,dc=local,dc=local” “(member=)”

If the 2nd call is successful, the ‘cn’ value will be the role that is received by the odfe, therefore you need to have a role_mappings mapping it to the relevant role in odfe. Hope this helps

Same problem.

Search not works with:
userbase: cn=users,cn=accounts,dc=corp,dc=ps,dc=kz
usersearch: (uid={0})
rolebase: cn=groups,cn=accounts,dc=corp,dc=ps,dc=kz
rolesearch: (member={0})

But if I change
rolebase: cn=users,cn=accounts,dc=corp,dc=ps,dc=kz
rolesearch: (uid={1})
the search is obtained and returned either users cn or dn

Find solution for opendistro authz and freeipa:
rolebase: cn=groups,cn=compat,dc=corp,dc=ps,dc=kz
rolesearch: (memberUid={1})