[jira] [Commented] (AIRFLOW-3020) LDAP Authentication doesn't check whether a user belongs to a group correctly

Fri, 05 Oct 2018 00:08:18 -0700 


    [ 
https://issues.apache.org/jira/browse/AIRFLOW-3020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639360#comment-16639360
 ] 

Iuliia Volkova commented on AIRFLOW-3020:
-----------------------------------------

[~zeninpalm], do you plan to reopen pull request?

> LDAP Authentication doesn't check whether a user belongs to a group correctly
> -----------------------------------------------------------------------------
>
>                 Key: AIRFLOW-3020
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3020
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>    Affects Versions: 1.9.0, 1.10.0
>            Reporter: Yi Wei
>            Assignee: Yi Wei
>            Priority: Major
>
> According to Airflow documentation at 
> [https://airflow.apache.org/security.html#ldap,] to enable LDAP 
> authentication, we should write airflow.cfg like this:
> [ldap]
> uri = ldap://XXX.YYY.org
> user_filter = objectClass=*
> user_name_attr = sAMAccountName
> superuser_filter = CN=XXX_Programmers
> bind_user = user_on_ldap
> bind_password = insecure
> basedn =OU=Some,DC=other,DC=org
> search_scope = SUBTREE
>  
> But after enabling LDAP authentication, I just cannot log in with a superuser 
> role. I double-checked my membership to the superuser groups and confirmed I 
> belong to the specified group in 'superuser_filter', still Airflow won't 
> recognize me as a superuser.
> So, I checked airflow/contrib/auth/backends/ldap_auth.py, the 
> group_contains_user function doesn't work as I expected:
>  
> This line:
> conn.search(native(search_base), native(search_filter), 
> attributes=[native(user_name_attr)])
> it search the group and extracts the sAMAccountName attribute of the group, 
> then:
>  for entry in conn.entries:
>   if user_name in getattr(entry, user_name_attr).values:
>      return True
> the code snippet will never return True, because how can user_name occur in 
> group_name anyway? 
> Not sure if this issue only occurs in my company, please correct me if you 
> have any suggestion.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to