[BUG] RegExp to exclude all non ldap users from role search (/.*$(?<!DC=contonso,DC=com)/) is not working

[df-cgdm]

Describe the bug
I would like to exclude from role ldap search any user which was not authentified by my ldap. For that I'm using the following regexp in skip_users:
/.*$(?<!DC=adm,DC=corp)/

With this regexp it's excluding all users but it should not exclude my ldap user which have the following DN
CN=Test User,OU=Users,DC=contonso,DC=com

I've tested this regexp successfully on several regexp online site like regex101.

To Reproduce
The ldap configuration in config.yml is

      ldap:
        authentication_backend:
          config:
            bind_dn: "CN=opensearch,OU=Users,DC=contonso,DC=com"
            enable_ssl: false
            enable_ssl_client_auth: false
            enable_start_tls: false
            hosts:
            - "dc1.contonso.com:3268"
            - "dc2.contonso.com:3268"
            password: "my_password"
            userbase: "DC=contonso,DC=com"
            username_attribute: "userPrincipalName"
            usersearch: "(sAMAccountName={0})"
            verify_hostnames: true
          type: "ldap"
        description: "Authenticate via LDAP or Active Directory"
        http_authenticator:
          challenge: false
          type: "basic"
        http_enabled: true
        order: 10
        transport_enabled: false
    authz:
      roles_from_myldap:
        authorization_backend:
          config:
            bind_dn: "CN=opensearch,OU=Users,DC=contonso,DC=com"
            enable_ssl: false
            enable_ssl_client_auth: false
            enable_start_tls: false
            hosts:
            - "dc1.contonso.com:3268"
            - "dc2.contonso.com:3268"
            password: "my_password"
            resolve_nested_roles: true
            rolebase: "DC=contonso,DC=com"
            rolesearch: "(member={0})"
            skip_users:
              - '/.*$(?<!DC=contonso,DC=com)/'
            userroleattribute: null
            userrolename: "disabled"
            verify_hostnames: true
          type: "ldap"
        description: "Authorize via LDAP or Active Directory"

I've set the Trace Level of com.amazon.dlic.auth.ldap.backend to TRACE

Expected behavior
This should skip any user which is not ending with "DC=contonso,DC=com" but in fact it skips all users.....

Logs

[2022-01-12T19:45:28,729][TRACE][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] Connect to peb4admad03.contonso.com:3268
[2022-01-12T19:45:28,730][TRACE][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] Connect to ldap://peb4admad03.contonso.com:3268
[2022-01-12T19:45:28,730][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] Connect timeout: PT5S/ResponseTimeout: PT0S
[2022-01-12T19:45:28,730][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] bindDn CN=opensearch,OU=Users,DC=contonso,DC=com, password ****
[2022-01-12T19:45:28,730][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] Will perform simple bind with bind dn
[2022-01-12T19:45:28,737][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] Opened a connection, total count is now 1
[2022-01-12T19:45:28,742][DEBUG][c.a.d.a.l.b.LDAPAuthenticationBackend] [osserver] Results for LDAP search for test-user in base _legacyConfig:
[]
[2022-01-12T19:45:28,742][TRACE][c.a.d.a.l.b.LDAPAuthenticationBackend] [osserver] Try to authenticate dn CN=Test User,OU=Users,DC=contonso,DC=com
[2022-01-12T19:45:28,743][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] Closed a connection, total count is now 0
[2022-01-12T19:45:28,743][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] bindDn CN=Test User,OU=Users,DC=contonso,DC=com, password ****
[2022-01-12T19:45:28,756][DEBUG][c.a.d.a.l.b.LDAPAuthenticationBackend] [osserver] Authenticated username [email protected]
[2022-01-12T19:45:28,757][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] DBGTRACE (2): username: [email protected]
[2022-01-12T19:45:28,757][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] DBGTRACE (3): authenticatedUser: CN=Test User,OU=Users,DC=contonso,DC=com 
[2022-01-12T19:45:28,757][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] Try to get roles for CN=Test User,OU=Users,DC=contonso,DC=com
[2022-01-12T19:45:28,757][TRACE][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] user class: class com.amazon.dlic.auth.ldap.LdapUser
[2022-01-12T19:45:28,757][TRACE][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] authenticatedUser: CN=Test User,OU=Users,DC=contonso,DC=com
[2022-01-12T19:45:28,758][TRACE][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] originalUserName: test-user
[2022-01-12T19:45:28,759][TRACE][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] entry: [dn=CN=Test User,OU=Users,DC=contonso,DC=com[[mail[[email protected]]], [uSNCreated[243328]], [whenChanged[20220110103233.0Z]], [objectClass[top, person, organizationalPerson, user]], [primaryGroupID[513]], [givenName[test]], [objectGUID[1i
g�Y�F��'05<�]], [objectSid[\ҋ�������]], [instanceType[4]], [whenCreated[20180410092107.0Z]], [dSCorePropagationData[20211119102430.0Z, 20190912151352.0Z, 20200916133317.0Z, 20180410104751.0Z, 16010101181216.0Z]], [sn[Test]], [userAccountControl[1049088]], [lastLogonTimestamp[132862843472025585]], [cn[Test User]], [sAMAccountName[test-user]], [sAMAccountType[805306368]], [userPrincipalName[[email protected]]], [displayName[Test User]], [name[Test User]], [objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=contonso,DC=com]], [distinguishedName[CN=Test User,OU=Users,DC=contonso,DC=com]], [memberOf[CN=Opensearch-Admins,OU=Groups,DC=contonso,DC=com]], [uSNChanged[179355619]]], responseControls=null, messageId=-1]
[2022-01-12T19:45:28,761][TRACE][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] dn: null
[2022-01-12T19:45:28,761][DEBUG][c.a.d.a.l.b.LDAPAuthorizationBackend] [osserver] Skipped search roles of user CN=Test User,OU=Users,DC=contonso,DC=com/test-user

[pawelw1]

@df-cgdm What is the version of your OpenSearch? What is the LDAP service?

[df-cgdm]

OpenSearch 1.2.3

LDAP service is an Active Directory 2016 (but anyway the problem is not really related to the ldap version). The problem occurs at line 189 of LDAPAuthorizationBackend2.java

[davidlago]

@df-cgdm thanks for the report. I've been squinting at this for a few minutes and apologies if I'm missing something but the config file posted skips users matching RegEx /.*$(?<!DC=contonso,DC=com)/

            skip_users:
              - '/.*$(?<!DC=contonso,DC=com)/'

and the log file shows how the user being skipped matches in fact that:

Skipped search roles of user CN=Test User,OU=Users,DC=contonso,DC=com/test-user

Why is this not the expected behavior?

[df-cgdm]

There is a not '!'. I want to skip all users except the users with a DN from my Active Directory.

[davidlago]

Gotcha! It seems like the issue here is that the matcher we use does not support negative lookbehind (not all regex matchers do, including some browsers). Please try this one instead with a negative lookahead: ^(?!.*DC=contonso,DC=com$).*$