LDAP[Authentication/Authorization]Backend2 does not support all configuration settings as LDAP Backend v1 #2216

cwperks · 2022-11-01T20:51:13Z

Security plugin has 2 different LDAP backends: ldap and ldap2. The backend is used to configure an LDAP-compliant directory service as the Authentication and Authorization backend for opensearch.

It was recently discovered that ldap2 is undocumented on the documentation website and has functionality that Ldap[Authentication/Authorization]Backend does not have such as connection pooling. See relevant conversation on the documentation website where connection pooling documentation was in the works of being added when it was discovered that the ldap backend does not support the setting: opensearch-project/documentation-website#1698 (comment)

If LDAP[Authentication/Authorization]Backend2 provides useful functionality that all LDAP installations should receive then the gaps between v1 and v2 of this backend need to be identified to determine the effort required to support all existing settings in v2.

List of differences between v1 and v2:

Setting	LDAPAuthenticationBackend	LDAPAuthorizationBackend	LDAPAuthenticationBackend2	LDAPAuthorizationBackend2
LDAP_AUTHC_USERBASE = "userbase"	[X]	[ ]	[ ]	[ ]
LDAP_AUTHC_USERNAME_ATTRIBUTE = "username_attribute"	[X]	[ ]	[ ]	[ ]
LDAP_AUTHC_USERSEARCH = "usersearch"	[X]	[ ]	[ ]	[ ]
LDAP_AUTHCZ_USERS = "users"	[X]	[X]	[ ]	[ ]
LDAP_AUTHZ_ROLES = "roles"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHCZ_BASE = "base"	[X]	[X]	[ ]	[ ]
LDAP_AUTHCZ_SEARCH = "search"	[X]	[X]	[ ]	[ ]
LDAP_AUTHZ_RESOLVE_NESTED_ROLES = "resolve_nested_roles"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_ROLEBASE = "rolebase"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_ROLENAME = "rolename"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_ROLESEARCH = "rolesearch"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_USERROLEATTRIBUTE = "userroleattribute"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_USERROLENAME = "userrolename"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_SKIP_USERS = "skip_users"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_ROLESEARCH_ENABLED = "rolesearch_enabled"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_NESTEDROLEFILTER = "nested_role_filter"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_MAX_NESTED_DEPTH = "max_nested_depth"	[ ]	[X]	[ ]	[ ]
LDAP_AUTHZ_MAX_NESTED_DEPTH_DEFAULT = 30	[ ]	[X]	[ ]	[ ]
FOLLOW_REFERRALS = "follow_referrals"	[ ]	[ ]	[ ]	[ ]
FOLLOW_REFERRALS_DEFAULT = true	[ ]	[ ]	[ ]	[ ]
LDAP_HOSTS = "hosts"	[ ]	[ ]	[ ]	[ ]
LDAP_BIND_DN = "bind_dn"	[ ]	[ ]	[ ]	[ ]
LDAP_PASSWORD = "password"	[ ]	[ ]	[ ]	[ ]
LDAP_FAKE_LOGIN_ENABLED = "fakelogin_enabled"	[ ]	[ ]	[ ]	[ ]
LDAP_SEARCH_ALL_BASES = "search_all_bases"	[ ]	[ ]	[ ]	[ ]
LDAP_FAKE_LOGIN_DN = "fakelogin_dn"	[ ]	[ ]	[ ]	[ ]
LDAP_FAKE_LOGIN_PASSWORD = "fakelogin_password"	[ ]	[ ]	[ ]	[ ]
LDAP_CONNECT_TIMEOUT = "connect_timeout"	[ ]	[ ]	[ ]	[ ]
LDAP_RESPONSE_TIMEOUT = "response_timeout"	[ ]	[ ]	[ ]	[ ]
LDAPS_VERIFY_HOSTNAMES = "verify_hostnames"	[ ]	[ ]	[ ]	[ ]
LDAPS_TRUST_ALL = "trust_all"	[ ]	[ ]	[ ]	[ ]
LDAPS_VERIFY_HOSTNAMES_DEFAULT = true	[ ]	[ ]	[ ]	[ ]
LDAPS_ENABLE_SSL = "enable_ssl"	[ ]	[ ]	[ ]	[ ]
LDAPS_ENABLE_START_TLS = "enable_start_tls"	[ ]	[ ]	[ ]	[ ]
LDAPS_ENABLE_SSL_CLIENT_AUTH = "enable_ssl_client_auth"	[ ]	[ ]	[ ]	[ ]
LDAPS_ENABLE_SSL_CLIENT_AUTH_DEFAULT = false	[ ]	[ ]	[ ]	[ ]
LDAPS_JKS_CERT_ALIAS = "cert_alias"	[ ]	[ ]	[ ]	[ ]
LDAPS_JKS_TRUST_ALIAS = "ca_alias"	[ ]	[ ]	[ ]	[ ]
LDAPS_PEMKEY_FILEPATH = "pemkey_filepath"	[ ]	[ ]	[ ]	[ ]
LDAPS_PEMKEY_CONTENT = "pemkey_content"	[ ]	[ ]	[ ]	[ ]
LDAPS_PEMKEY_PASSWORD = "pemkey_password"	[ ]	[ ]	[ ]	[ ]
LDAPS_PEMCERT_FILEPATH = "pemcert_filepath"	[ ]	[ ]	[ ]	[ ]
LDAPS_PEMCERT_CONTENT = "pemcert_content"	[ ]	[ ]	[ ]	[ ]
LDAPS_PEMTRUSTEDCAS_FILEPATH = "pemtrustedcas_filepath"	[ ]	[ ]	[ ]	[ ]
LDAPS_PEMTRUSTEDCAS_CONTENT = "pemtrustedcas_content"	[ ]	[ ]	[ ]	[ ]
LDAPS_ENABLED_SSL_CIPHERS = "enabled_ssl_ciphers"	[ ]	[ ]	[ ]	[ ]
LDAPS_ENABLED_SSL_PROTOCOLS = "enabled_ssl_protocols"	[ ]	[ ]	[ ]	[ ]
LDAP_CUSTOM_ATTR_MAXVAL_LEN = "custom_attr_maxval_len"	[ ]	[ ]	[ ]	[ ]
LDAP_CUSTOM_ATTR_WHITELIST = "custom_attr_whitelist"	[ ]	[ ]	[ ]	[ ]
LDAP_CUSTOM_ATTR_ALLOWLIST = "custom_attr_allowlist"	[ ]	[ ]	[ ]	[ ]
LDAP_RETURN_ATTRIBUTES = "custom_return_attributes"	[ ]	[ ]	[ ]	[ ]
LDAP_CONNECTION_STRATEGY = "connection_strategy"	[ ]	[ ]	[ ]	[ ]
LDAP_POOL_ENABLED = "pool.enabled"	[ ]	[ ]	[X]	[ ]
LDAP_POOL_MIN_SIZE = "pool.min_size"	[ ]	[ ]	[X]	[ ]
LDAP_POOL_MAX_SIZE = "pool.max_size"	[ ]	[ ]	[X]	[ ]
LDAP_POOL_TYPE = "pool.type"	[ ]	[ ]	[X]	[ ]
LDAP_LEGACY_POOL_PRUNING_PERIOD = "pruning.period"	[ ]	[ ]	[X]	[ ]
LDAP_LEGACY_POOL_IDLE_TIME = "pruning.idleTime"	[ ]	[ ]	[X]	[ ]
LDAP_POOL_PRUNING_PERIOD = "pool.pruning_period"	[ ]	[ ]	[X]	[ ]
LDAP_POOL_IDLE_TIME = "pool.idle_time"	[ ]	[ ]	[X]	[ ]

The text was updated successfully, but these errors were encountered:

cwperks added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Nov 1, 2022

cwperks mentioned this issue Nov 2, 2022

Revert "Add connection pooling settings to LDAP documentation" opensearch-project/documentation-website#1762

Merged

cwperks added help wanted Community contributions are especially encouraged for these issues. triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Nov 7, 2022

cwperks mentioned this issue Nov 7, 2022

[FEATURE] Perpetuate Skip_users behaviour from ldap2 Backend #2226

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LDAP[Authentication/Authorization]Backend2 does not support all configuration settings as LDAP Backend v1 #2216

LDAP[Authentication/Authorization]Backend2 does not support all configuration settings as LDAP Backend v1 #2216

cwperks commented Nov 1, 2022

LDAP[Authentication/Authorization]Backend2 does not support all configuration settings as LDAP Backend v1 #2216

LDAP[Authentication/Authorization]Backend2 does not support all configuration settings as LDAP Backend v1 #2216

Comments

cwperks commented Nov 1, 2022