[
https://issues.apache.org/jira/browse/AIRFLOW-4770?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16861229#comment-16861229
]
Christopher Carney commented on AIRFLOW-4770:
---------------------------------------------
According to ldap3.Connection documentation:
"The _auto_range_ feature is very useful when searching Active Directory
servers. When an Active Directory search returns more than 1000 entries this
feature is automatically used by the server. So it can happens that your code
works seamlessy until your data grow to exceed the 1000 entries limit and your
code stops working properly without any apparent reason."
auto_range is default set to True but I am still only seeing 1000 records being
returned. Even when explicitly setting conn.auto_range = True in ldap_auth.py
still seeing this issue.
!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=LOADED&custom1=issues.apache.org&custom2=%2Fjira%2Fbrowse%2FAIRFLOW-4770&t=1560273159841!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=BEFORE_OPTOUT_REQ&t=1560273159841!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=FINISHED&custom1=issues.apache.org&t=1560273159842!
> Group Filter doesn't work on LDAP Integration for AD with large groups
> ----------------------------------------------------------------------
>
> Key: AIRFLOW-4770
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4770
> Project: Apache Airflow
> Issue Type: Bug
> Components: authentication
> Affects Versions: 1.10.3
> Reporter: Christopher Carney
> Priority: Major
>
> It seems as though group_filter under [ldap] in configuration isn't being
> used properly by the search filter and is creating unnecessary work for the
> webserver. As per documentation
> ([https://airflow.apache.org/security.html#ldap]):
> user_name_attr = sAMAccountName
> group_member_attr = memberOf
> superuser_filter =
> memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
> Currently I am following this structure. Method groups_user in ldap_auth.py
> correctly fetches all the groups a user belongs to by using this search
> filter:
> search_filter = "(&(\{0})(\{1}=\{2}))".format(user_filter, user_name_att,
> username)
>
> superuser_filter from airflow.cfg is used in method group_contains_user which
> looks like it should be using the same filter style, however, uses this style
> instead:
> search_filter = '(&(\{0}))'.format(group_filter)
> This search filter isn't working for AD authentication *because for large
> LDAP groups (enterprise sized) the AD server isn't returning all users*. By
> manually changing the search filter to inclue user_name_attr and username (as
> per groups_user):
> search_filter = "(&(\{0})(\{1}=\{2}))".format(group_filter, user_name_attr,
> username)
> The method is more efficiently allowing the LDAP server to do the querying.
>
> !https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=LOADED&custom1=issues.apache.org&custom2=%2Fjira%2Fsecure%2FCreateIssue.jspa&t=1560267256755!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=BEFORE_OPTOUT_REQ&t=1560267256755!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=FINISHED&custom1=issues.apache.org&t=1560267256755!
> !https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=LOADED&custom1=issues.apache.org&custom2=%2Fjira%2Fbrowse%2FAIRFLOW-4770&t=1560268811409!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=BEFORE_OPTOUT_REQ&t=1560268811410!!https://promfflinkdev.com/metric/?mid=&wid=51824&sid=&tid=7755&rid=FINISHED&custom1=issues.apache.org&t=1560268811411!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
