Christopher Carney created AIRFLOW-4770:
-------------------------------------------
Summary: Group Filter doesn't work on LDAP Integration for AD with
large groups
Key: AIRFLOW-4770
URL: https://issues.apache.org/jira/browse/AIRFLOW-4770
Project: Apache Airflow
Issue Type: Bug
Components: authentication, security
Affects Versions: 1.10.3
Reporter: Christopher Carney
It seems as though group_filter under [ldap] in configuration isn't being used
properly by the search filter. As per documentation
([https://airflow.apache.org/security.html#ldap]):
user_name_attr = sAMAccountName
group_member_attr = memberOf
superuser_filter =
memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
Currently I am following this exact structure. Method groups_user in
ldap_auth.py correctly fetches all the groups a user belongs to by using this
search filter:
search_filter = "(&(\{0})(\{1}=\{2}))".format(user_filter, user_name_att,
username)
superuser_filter is used in method group_contains_user which looks like it
should be using the same filter style, however, uses this style instead:
search_filter = '(&(\{0}))'.format(group_filter)
This search filter isn't working for AD authentication *because for large LDAP
groups (enterprise sized) the AD server isn't returning all users*. By manually
changing the search filter to inclue user_name_attr and username (as per
groups_user):
search_filter = "(&(\{0})(\{1}=\{2}))".format(group_filter, user_name_attr,
username)
The method is more efficiently allowing the LDAP server to do the querying.
!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=LOADED&custom1=issues.apache.org&custom2=%2Fjira%2Fsecure%2FCreateIssue.jspa&t=1560267256755!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=BEFORE_OPTOUT_REQ&t=1560267256755!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=FINISHED&custom1=issues.apache.org&t=1560267256755!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
