OpenSearch 3: LDAP Auth Broken After Upgrade

Dec 3, 2025 by Admin 45 views

Hey everyone,

We've got a critical issue to discuss: LDAP authentication seems to be broken after upgrading from OpenSearch 2 to OpenSearch 3. This is a major roadblock, especially for those relying on LDAP for managing user access. Let's dive into the details and see what's going on.

What's the Bug?

The main problem is that one of the documented methods for integrating LDAP authentication no longer functions as expected after the upgrade. According to the OpenSearch documentation, there are two primary approaches to integrate LDAP:

Query the role subtree
Use a user's attribute as the role name

Specifically, Approach 1 is failing post-upgrade. In our setup, the LDAP server (FreeIPA) stores all group memberships under the user's memberOf attribute. This configuration was working perfectly fine in OpenSearch 2, but now it's not resolving roles correctly in OpenSearch 3.

Detailed Explanation of the Issue

To elaborate further, the LDAP integration in OpenSearch relies on querying the LDAP directory to determine user roles based on their attributes. In the first approach, OpenSearch queries the role subtree to find the groups a user belongs to. This involves searching for roles based on the user's attributes, such as memberOf. However, after upgrading to OpenSearch 3, this query seems to fail or return incorrect results, leading to authentication failures or incorrect role assignments.

The memberOf attribute in FreeIPA is crucial for managing user permissions. It lists all the groups a user is a member of, which directly translates to the roles they should have in OpenSearch. When this attribute is not correctly processed, users are either denied access or granted incorrect privileges, which can severely compromise the security and functionality of the OpenSearch cluster.

The underlying cause of this issue could be changes in the LDAP query logic, attribute handling, or other internal mechanisms within OpenSearch 3. It's essential to investigate these changes to identify the root cause and implement a fix. This might involve debugging the LDAP query process, examining the changes in the OpenSearch security plugin, and comparing the configurations between OpenSearch 2 and OpenSearch 3.

Impact on Users

The impact of this bug is significant, as it affects anyone using LDAP for authentication and authorization in OpenSearch. Users who rely on LDAP to manage access control will find themselves unable to log in or having incorrect permissions, which can disrupt operations and pose security risks. This is particularly problematic for organizations with complex user roles and permissions managed through LDAP.

Moreover, the bug can lead to increased administrative overhead as administrators scramble to find workarounds or manually manage user roles. This not only adds to their workload but also increases the risk of human error. Therefore, resolving this issue is critical to ensure the smooth functioning of OpenSearch clusters and maintain the integrity of user access control.

How to Reproduce the Bug

To reproduce this bug, follow these steps:

Set up an OpenSearch cluster (version 3).
Configure LDAP authentication using the Approach 1 method, similar to the configuration provided below.
Ensure your LDAP server (e.g., FreeIPA) has group memberships defined under the user's memberOf attribute.
Attempt to log in with a user whose roles are managed through LDAP.

You'll likely find that the user either cannot log in or does not have the correct roles assigned.

Here’s a sample configuration that can be used to reproduce the issue:

      authz:
        ldap_roles:
          description: "Authorize using LDAP"
          http_enabled: true
          transport_enabled: true
          authorization_backend:
            type: ldap
            config:
              enable_ssl: false
              enable_start_tls: false
              enable_ssl_client_auth: false
              verify_hostnames: true
              hosts:
                - "freeipa-1:389"
              bind_dn: uid=opensearch,cn=users,cn=accounts,dc=example,dc=com
              password: "${password}"
              userbase: cn=users,cn=accounts,dc=example,dc=com
              usersearch: (uid={0})
              username_attribute: uid
              skip_users:
                - admin
                - kibanaserver
              userroleattribute: memberOf
              rolesearch_enabled: false
              rolebase: cn=groups,cn=accounts,dc=example,dc=com
              rolename: cn

Detailed Steps for Reproduction

To provide a more comprehensive guide, let's break down the steps for reproducing the bug in detail:

Set up OpenSearch Cluster:
- Install OpenSearch version 3 on a suitable host or within a Docker container.
- Ensure the cluster is running and accessible.
Configure LDAP Authentication:
- Modify the opensearch.yml file to include the LDAP authentication configuration.
- Use the sample configuration provided above as a template.
- Replace the placeholders (e.g., ${password}, freeipa-1:389) with your actual LDAP server details.
Configure LDAP Server (FreeIPA):
- Set up a FreeIPA server or use an existing one.
- Create users and groups within FreeIPA.
- Ensure that the users are members of the appropriate groups, with memberships reflected in the memberOf attribute.
Test LDAP Authentication:
- Attempt to log in to OpenSearch using a user account managed by LDAP.
- Observe the authentication process and check for any errors.
- Verify whether the user is assigned the correct roles based on their group memberships in LDAP.
Verify Role Resolution:
- After successful login (if any), check the user's roles within OpenSearch.
- Confirm whether the roles match the group memberships defined in FreeIPA.
- If the roles are missing or incorrect, the bug is successfully reproduced.

By following these detailed steps, you can reliably reproduce the LDAP authentication bug and gather more information for troubleshooting and resolution. This also helps in verifying any potential fixes or workarounds that may be implemented.

Expected Behavior

Ideally, after upgrading to OpenSearch 3, roles should be resolved exactly as they were in OpenSearch 2. Users should be able to log in seamlessly, and their roles should be correctly mapped based on their LDAP group memberships. Any deviation from this behavior indicates a bug.

Detailed Explanation of Expected Behavior

In OpenSearch 2, the LDAP integration correctly interpreted the memberOf attribute to assign roles to users. This meant that when a user authenticated, OpenSearch would query the LDAP server, retrieve the user's memberOf attribute, and map the corresponding LDAP groups to OpenSearch roles. This process ensured that users had the appropriate permissions and access rights within the OpenSearch cluster.

After upgrading to OpenSearch 3, the expectation is that this behavior remains consistent. The LDAP integration should continue to correctly interpret the memberOf attribute and assign roles accordingly. Any changes in the underlying mechanisms should not affect the end-user experience or the accuracy of role assignments.

Specifically, the following aspects should remain unchanged:

Authentication Process:
- Users should be able to log in using their LDAP credentials without any issues.
- The authentication process should be as seamless and efficient as it was in OpenSearch 2.
Role Mapping:
- The mapping between LDAP groups and OpenSearch roles should be accurate and consistent.
- Users should be assigned the same roles they had in OpenSearch 2, based on their memberOf attribute.
Access Control:
- Users should have the same access rights and permissions as they did in OpenSearch 2.
- No changes in access control should occur due to the upgrade.

Any deviation from these expectations indicates a bug or misconfiguration that needs to be addressed. Therefore, thorough testing and verification are essential after upgrading to OpenSearch 3 to ensure that LDAP authentication and role assignment are functioning correctly.

Host/Environment Details

OS: Linux (Docker)
Version: 9
Plugins: Default in the image

Additional Context

Here are some related forum posts that might provide additional insights:

It seems like others are experiencing similar issues, so hopefully, we can find a solution soon!

Further Investigation and Potential Solutions

To further investigate this issue and find potential solutions, consider the following steps:

Examine OpenSearch Logs:
- Check the OpenSearch logs for any error messages or warnings related to LDAP authentication.
- Look for clues about why the LDAP queries are failing or returning incorrect results.
Debug LDAP Queries:
- Use tools like ldapsearch to manually execute the LDAP queries used by OpenSearch.
- Compare the results with the expected values to identify any discrepancies.
Review OpenSearch Security Configuration:
- Double-check the LDAP authentication configuration in opensearch.yml.
- Ensure that all settings are correct and compatible with OpenSearch 3.
Test with Different LDAP Attributes:
- Try using different LDAP attributes for role mapping to see if the issue is specific to the memberOf attribute.
- This can help narrow down the scope of the problem.
Consult OpenSearch Documentation:
- Review the OpenSearch documentation for any changes or updates related to LDAP authentication in version 3.
- Pay attention to any deprecated features or new requirements.
Seek Community Support:
- Engage with the OpenSearch community through forums, mailing lists, or chat channels.
- Share your findings and ask for help from other users and developers.

By systematically investigating these areas, you can gather more information about the root cause of the issue and potentially find a solution or workaround. Additionally, sharing your findings with the community can help others who may be experiencing similar problems.

Let's keep each other updated as we dig deeper into this issue. Hopefully, we can get this resolved quickly!