I have reverse proxy, which will query the ldap based on kerberos auth, it will populate the headers with user name and all the groups from ldap. Everything is working fine, but i’m unable to google solution how to set up readonlyrest.yml with those groups.
For example i will have header X-Forwarded-Groups:grp1,grp2,grp3, i only care about grp2, because for grp2 i need to restrict access to some indices and actions.
So i want to extract those headers values and if it contains the grp2 then use this auth block in readonlyrest.yml.
Is this possible ? (I want to also have ldap auth in readonlyrest, but i cannot find if its possible to authentificate user with reverse proxy and then fire ldap to get groups in readonlyrest side)
In theory, you can very well use LDAP authorization mixed with proxy_auth authentication. But why bother? If you have a proper LDAP connector with all bells and whistles within ReadonlyREST?
How about you just use ROR LDAP connector for authentication and authorization? Leave the proxy.
in the same block where you have proxy_auth, you add ldap_authorization (see Advanced: authentication and authorization in separate rules section).
It might look something like:
readonlyrest:
access_control_rules:
- name: Accept requests to index1 from users with valid LDAP credentials, belonging to LDAP group 'team1'
proxy_auth:
proxy_auth_config: "proxy1"
users: ["*"]
ldap_authorization:
name: "ldap1" # ldap name from 'ldaps' section
groups: ["g1", "g2"] # group within 'ou=Groups,dc=example,dc=com'
proxy_auth_configs:
- name: "proxy1"
user_id_header: "X-Forwarded-User"
ldaps:
- name: ldap1
hosts: # HA style, alternative to "host"
- "ldaps://ssl-ldap1.foo.com:636" # can use ldap:// or ldaps:// (for ssl)
- "ldaps://ssl-ldap2.foo.com:636" # the port is declared in line
ha: "ROUND_ROBIN" # optional, default "FAILOVER"
search_user_base_DN: "ou=People,dc=example2,dc=com"
search_groups_base_DN: "ou=Groups,dc=example2,dc=com"