Is it possible to use an LDAP operational attribute for backend role discovery?

[Michael Evans]

I'm using Search Guard Bundle 5.6.2-16 and trying to configure backend roles.  My LDAP structure uses isMemberOf as an operational attribute which has to be explicitly called, it is not returned by default when searching for the user record.  For example:

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)"

does not return isMemberOf, but 

ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)" isMemberOf

returns a list of groups 'someuser' is a member of. 

Looking over the logs it looks like SearchGuard first queries the full record of the user looks for the isMemberOf attribute to be returned.  I cannot figure out a way to configure Search Guard to pass in the attribute.  Is this possible?

Here's the relevant config snippet:

    authz:

      roles_from_myldap:

        enabled: true

        authorization_backend:

          type: "ldap"

          config:

            enable_ssl: true

            enable_start_tls: false

            enable_ssl_client_auth: false

            verify_hostnames: false

            hosts:

            - "XXX.XXX.com"

            bind_dn: null

            password: null

            rolebase: "o=XXX.com,o=email"

            rolesearch: "(uid={1})"

            userroleattribute: "isMemberOf"

            userrolename: "isMemberOf"

            rolename: "dn"

            resolve_nested_roles: false

            userbase: "ou=People,o=XXX.com,o=email"

            usersearch: "(uid={0})"

[SG]

Can you check this snapshot? I enabled all operational atrributes.

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-authbackend-ldap/5.6-11-SNAPSHOT/dlic-search-guard-authbackend-ldap-5.6-11-20171028.193303-1-jar-with-dependencies.jar

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cc4bba4f-bee2-46bd-8b02-590055e431fe%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Michael Evans]

Didn't work.  

I tried the same thing from the command line and for some reason our server returns just the DN:

$ldapsearch -s sub -LLL -x -H ldaps://XXX.XXX.com -b "o=XXX.com , o=email" "(uid=someuser)" "*, +"

dn: uid=someuser,ou=People , o=XXX.com , o=email

[SG]

What is the productname, vendor and version of your ldap server?

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e087184-3e5b-4edb-9084-b7f6cdde9570%40googlegroups.com.

[Michael Evans]

I don't have admin access to the server.  This is was I get from ldapsearch -x -H "ldaps://XXX.XXX.com" -s base -b "" "objectclass=*" vendorname vendorversion  *

dn:

vendorname: Oracle Corporation

vendorversion: Sun-Directory-Server/11.1.1.7.3

[Search Guard]

tracked here https://github.com/floragunncom/search-guard-authbackend-ldap/issues/7

will go into this soon, pls stay tunded

[Search Guard]

we have something now and need help to test it. Anyone interested helping us to test operational attributes?