Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No LDAP Roles returned if INVALID_DN_SYNTAX on one role is thrown #432

Closed
shadowlord017 opened this issue Oct 31, 2019 · 2 comments
Closed

No LDAP Roles returned if INVALID_DN_SYNTAX on one role is thrown #432

shadowlord017 opened this issue Oct 31, 2019 · 2 comments
Assignees
@debjanibnrj
Labels
bug Something isn't working

Comments

@shadowlord017
Copy link

If you have LDAP Group with invalid syntax in DN, roles will be empty in case you use resolve_nested_roles. It's because of wide use try..catch in fillRoles function (exception is thrown and no other groups are checked).

It seems that opendistro-for-elasticsearch/deprecated-security-advanced-modules#8 can solve this problem, but it is like frozen.

[2019-10-31T12:13:48,706][ERROR][c.a.o.s.a.BackendRegistry] [msk-dc01-elk-es01] Cannot retrieve roles for User [name=UserName, roles=[], requestedTenant=null] from ldap due to ElasticsearchSecurityException[[org.ldaptive.LdapException@118611119::resultCode=INVALID_DN_SYNTAX, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.InvalidNameException: CN=_Users - "Organization" Все,OU=_Organization,DC=example,DC=com: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C0907C1, coorg.elasticsearch.ElasticsearchSecurityException: [org.ldaptive.LdapException@118611119::resultCode=INVALID_DN_SYNTAX, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.InvalidNameException: CN=_Users - "Organization" Все,OU=_Organization,DC=example,DC=com: [LDAP: error code 34 - 0000208F: LdapErr: DS at com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend.fillRoles(LDAPAuthorizationBackend.java:854) ~[opendistro_security_advanced_modules-1.2.0.0.jar:1.2.0.0]
@alolita alolita transferred this issue from opendistro-for-elasticsearch/deprecated-security-advanced-modules Apr 28, 2020
@debjanibnrj debjanibnrj self-assigned this May 15, 2020
@debjanibnrj debjanibnrj added the bug Something isn't working label May 15, 2020
@nateynateynate
Copy link
Member

Hi @shadowlord017 - looks like you might still be using OpenDistro. The OpenSearch Project has since superceded OpenDistro. Do you mind attempting this again using the latest version of OpenSearch?

@davidlago
Copy link

We are doing some "spring cleaning in the fall", and to make sure we focus our energies on the right issues and we get a better picture of the state of the repo, we are closing all issues that we are carrying over from the ODFE era (ODFE is no longer supported/maintained, see post here).

If you believe this issue should still be considered for current versions of OpenSearch, apologies! Please let us know by re-opening it.

Thanks!

gaobinlong pushed a commit to gaobinlong/security that referenced this issue Aug 30, 2023
@yuxitang-amzn
Add unit test for role list component (opensearch-project#432)
9df663f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@debjanibnrj debjanibnrj

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davidlago @shadowlord017 @debjanibnrj @nateynateynate