I'm using
Search Guard Bundle 5.6.2-16 and trying to configure backend roles. My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record. For example:
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)"
does not return isMemberOf, but
ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)" isMemberOf
returns a list of groups 'someuser' is a member of.
Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned. I cannot figure out a way to configure Search Guard to pass in the attribute. Is this possible?
Here's the relevant config snippet:
authz:
roles_from_myldap:
enabled: true
authorization_backend:
type: "ldap"
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
hosts:
bind_dn: null
password: null
rolebase: "o=XXX.com,o=email"
rolesearch: "(uid={1})"
userroleattribute: "isMemberOf"
userrolename: "isMemberOf"
rolename: "dn"
resolve_nested_roles: false
userbase: "ou=People,o=XXX.com,o=email"
usersearch: "(uid={0})"