Grouping together multiple ldap

zeeshan · June 9, 2022, 2:31pm

We are using Enterprise ROR.

I have two LDAP groups as shown below. Is there a way to club both of them together and use them in my rule. Currently I have to duplicate each rule to accommodate both LDAP’s

    - name: "Forbid all LDAP users to delete indices"
      type: forbid
      actions: ["indices:admin/delete", "indices:admin/template/delete", "indices:data/write/delete", "indices:data/write/delete/byquery"]
      ldap_authentication:
        name: "ldap"
        cache_ttl_in_sec: 900
        
    - name: "Forbid all LDAP2 users to delete indices"
      type: forbid
      actions: ["indices:admin/delete", "indices:admin/template/delete", "indices:data/write/delete", "indices:data/write/delete/byquery"]
      ldap_authentication:
        name: "ldap2"
        cache_ttl_in_sec: 900

LDAP’s

    ldaps:
    - name: "ldap"
      host: "winrootf5.xxx.com"
      port: 636
      ssl_enabled: true
      ssl_trust_all_certs: true
      bind_dn: "CN=srvxxx,OU=ServiceAccounts,OU=CorpUsers,DC=winroot,DC=xxx,DC=com"
      bind_password: "XXXXXXX"
      search_user_base_DN: "OU=CorpUsers,DC=winroot,DC=xxx,DC=com"
      search_groups_base_DN: "OU=CorpGroups,DC=winroot,DC=xxx,DC=com"
      user_id_attribute: "samaccountname"
      unique_member_attribute: "member"
      connection_pool_size: 100
      connection_timeout_in_sec: 60
      request_timeout_in_sec: 60
      cache_ttl_in_sec: 900
      group_name_attribute: "cn"

    - name: "ldap2"
      host: "xxxvirtualdir.xxx.com"
      port: 2489
      ssl_enabled: true
      ssl_trust_all_certs: true
      search_user_base_DN: "uid=srvEUPAutomationJob,OU=SelfService,ou=People,ou=PeopleAuthSrch,dc=xxx,dc=com"
      search_groups_base_DN: "ou=Autogroups,ou=PeopleAuthSrch,dc=xxx, dc=com"
      user_id_attribute: "uid"
      unique_member_attribute: "uniqueMember"
      connection_pool_size: 10
      connection_timeout_in_sec: 10
      request_timeout_in_sec: 10
      cache_ttl_in_sec: 60
      group_name_attribute: "cn"

coutoPL · June 9, 2022, 4:15pm

No, at the moment there is no way to do that.
But it looks like it can be done, so I will add a jira and we will discuss it internally and maybe we will implement it

sscarduzio · June 9, 2022, 4:42pm

Thanks for the proposal @zeeshan! I see where you come from and how it makes sense.

We could be tempted to implement this, however, I’d advise not to. Why? Because the current ACL syntax is already fully capable to express this kind of logic (and so much more).

Maybe today this particular configuration is a tad verbose, but it builds on the same foundational building blocks, and it’s easier to grasp for non advanced users.