[BUG] Multiple AuthC LDAP Requests

[WatsCo]

What is the bug? When logging in using OpenSearch Dashboards, multiple separate LDAP authentication requests (authc) are being made for a single login within a second of one another.

The amount of LDAP queries varies on different login attempts. Sometimes it's just three, sometimes it will be upwards of eight. All of the requests return as successful.

How can one reproduce the bug? Login using the following OpenSearch config.yml.

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            pemtrustedcas_filepath: /usr/share/opensearch/config/ca_bundle.pem
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
              - xxx.xxx.xxx:389
            bind_dn: 'CN=LDAP_Bind,OU=xxx,DC=xxx,DC=xxx,DC=xxx'
            password: xxxxxxxxxxxxx
            userbase: 'DC=xxx,DC=xxx,DC=xxx'
            usersearch: '(sAMAccountName={0})'
            username_attribute: 'sAMAccountName'
            connect_timeout: 60000
            response_timeout: 0
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: ldap
          config:
            pemtrustedcas_filepath: /usr/share/opensearch/config/ca_bundle.pem
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
              - xxx.xxx.xxx:3268
            bind_dn: 'CN=ldap_bind,OU=xxx,DC=xxx,DC=xxx,DC=xxx'
            password: xxxxxxxxxxxxx
            rolebase: 'OU=role_base,OU=xxx,DC=xxx,DC=xxx,DC=xxx'
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: 'disabled'
            rolename: 'cn'
            resolve_nested_roles: true
            userbase: 'DC=xxx,DC=xxx,DC=xxx'
            usersearch: '(sAMAccountName={0})'
            skip_users:
              - 'admin'
              - 'kibanaserver'
            connect_timeout: 60000
            response_timeout: 0

What is the expected behavior? When accessing OpenSearch via curl commands using the same config, only one LDAP request is made for authentication. This is how we'd expect OpenSearch Dashboards to operate.

Example of a command that only results in one LDAP query: curl -u ldap_user "https://$(serverFQDN):9200/_cluster/health?pretty=true" --insecure

What is your host/environment?

• OS: Kubernetes 1.27.10
• OpenSearch Version: 2.11.1
• OpenSearch Dashboards Version: 2.11.1
• Plugins: Default

Do you have any additional context? We're using a different hosts for our authc config vs our authz config, so we've been able to eliminate authz as a potential issue.

This config is just to test an ldap integration, this isn't being used in production.

[peternied]

[Triage] Thanks for filing, we should have only the number of outbound LDAP requests to support the security plugin's functionality - there shouldn't be extra requests. We accept a PR to reduce or help manage this number of requests.