-
Notifications
You must be signed in to change notification settings - Fork 281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] ldap config setting custom_attr_allowlist
does not do anything.
#2032
Comments
@Martin-Kemp Thanks for filing this issue |
@peternied no problem. Let me know if it's not clear enough or you can't reproduce it. |
It looks like the I ran the test
Then forcing it to fail with:
We can then see the custom attributes
|
@Martin-Kemp I think I found the source of the issue while doing code inspection, the value is Assuming this lets you work around it, we need to update the key to the inclusive terminology |
@peternied Thanks for the suggestion, I have tried using
The problem is that Could you try to reproduce the issue on your side? It's quite quick to do with the zip file supplied in the documentation. Just add:
to
Also change the version of opensearch in the Then just check the logs of the ldap container when you run the query supplied in the documentation. |
I also haven't been able to get this working with Opendistro either. So I'm guessing the issue predates the change to inclusive terminology. |
@Martin-Kemp From what I've been able to put together of tracing through the codepath it looks like searching all attributes is expected. See LdapHelper.search. This is the method used to locate the user and return an The This in turn is used to enrich the user object by adding these custom attributes to I also had to add See the output below of a curl command to
Notice that |
Thanks for the clarification @cwperks. So then I misunderstood the documentation. Our need is to limit the attributes requested by Opensearch because some attributes may contain sensitive information. We can do this with
ldap logs:
So if filtering on the client side (Opensearch) is expected behaviour then I suppose this feature is not supported. |
In the documentation it's under authz, maybe that should be changed then. |
Yeah, you're right. If I hard code an attribute there it works as I expected:
Then rebuilding results in ldap logs:
I wonder if supporting custom return attributes would be helpful to anyone else. Maybe I could do this and open a PR? |
@Martin-Kemp That would be welcomed. We would gladly accept a PR with your contribution. |
#2093 has been merged. |
What is the bug?
Ldap config setting
custom_attr_allowlist
which is supposed to limit the attributes searched for does not appear to do anything.How can one reproduce the bug?
docker-compose up
What is the expected behavior?
Attributes listed in
custom_attr_allowlist
should be filtered out, this should be evident in the ldap logs. Expected output:What is your host/environment?
The text was updated successfully, but these errors were encountered: