Open greenpau opened 2 years ago
If a user authenticated successfully, but the group match failed, the following log messages (specifically LDAP authentication failed: no matched groups) gets generates:
LDAP authentication failed: no matched groups
2022/06/11 18:20:17.408 DEBUG security LDAP search succeeded {"server": "ldap://ldap.forumsys.com", "entry_count": 1, "search_base_dn": "DC=EXAMPLE,DC=COM", "search_user_filter": "(&(|(uid=riemann)(mail=riemann))(objectClass=inetOrgPerson))", "users": [{"DN":"uid=riemann,dc=example,dc=com","Attributes":[{"Name":"cn","Values":["Bernhard Riemann"],"ByteValues":["QmVybmhhcmQgUmllbWFubg=="]},{"Name":"uid","Values":["riemann"],"ByteValues":["cmllbWFubg=="]},{"Name":"mail","Values":["riemann@ldap.forumsys.com"],"ByteValues":["cmllbWFubkBsZGFwLmZvcnVtc3lzLmNvbQ=="]}]}]} 2022/06/11 18:20:17.418 WARN security Bad Request {"session_id": "1UOKHLTUlBiAD1DCziSd015yDi2tTO5yzzFlE", "request_id": "fd841467-c8be-4e09-b1eb-d534c2745a76", "error": "LDAP authentication failed: no matched groups", "source_address": "10.0.2.2"}
I will be adding a new directive - fallback role <role_name> [<role_name>]
fallback role <role_name> [<role_name>]
ldap identity store example.com { groups { "ou=scientists,dc=example,dc=com" authp/user } fallback role authp/user }
This way, if no matched groups appears, the user will be assigned one or more roles specified via fallback role directive.
no matched groups
fallback role
If a user authenticated successfully, but the group match failed, the following log messages (specifically
LDAP authentication failed: no matched groups) gets generates:I will be adding a new directive -
fallback role <role_name> [<role_name>]This way, if
no matched groupsappears, the user will be assigned one or more roles specified viafallback roledirective.