How to support hierarchical ldap groups

[vostro...@gmail.com]

Hi!

We are trying to configure our elastic cluster (6.6 with searchguard 6.6 installed) with our organization's ldap server.
Each document in our cluster contains a field called "authorized": a list with user/group names authorized to view the document.

Is it possible to create rules based on our ldap, so that each query will take into account the the clients user and check if it is contained in the authorized list? (contained means that it can appear there explicitly or that he is a member of group there).

Thanks!!

[SG]

Yes, this is possible by leveraging Document Level Security (DLS) together with user attributes and variable substitution (${user.name} and ${user.roles}):

https://docs.search-guard.com/latest/document-level-security#dynamic-queries-variable-substitution

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2e91812a-ad79-4d34-bdf6-a6c00f753e7d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[vostro...@gmail.com]

I tried to use _dls_ queries and could not configure them the right way.

For example if I have in my ldap a group named 'my_group' which contains the user 'me' in it,

and I have the doc:

{
  authorized: ['my_group']
  ...
}

How would my _dls_ and roles look like, so when 'me' will be able to get this document in a query? (but members who are not in 'my_group' won't)

בתאריך יום ראשון, 17 במרץ 2019 בשעה 19:01:06 UTC+2, מאת Search Guard:

[Search Guard]

What exactly did you tried so far?