Currently LDAP works with only Group based Authorisation but for some critical indices we have to give access to just one user from LDAP.
Such Functionality is currently not there and should be implemented.
For ex.
instead of groups: [“xxx”] we can use users: [“xxx”].
I have tried using seperate authentication and then using local groups but that doesn’t work.
Though i see the need for it like granting access for single user like an admin, it’s never a good practise to have security rules based off individual user ids.
I just merged a “users” rule, which is agnostic of LDAP, but can be used in a rules block so it won’t match if the resolved user is not included in the list. I.e.
- name: "LDAP authenticated, just some user"
users: ["*_admin", "root"]
ldap_authentication:
name: "ldap1"
LDAP User Based Authorisation
Let’s do this?