[GitHub] [druid] xasx opened a new issue #9873: LDAP GroupMappings membership determination customization

Fri, 15 May 2020 05:51:28 -0700 


xasx opened a new issue #9873:
URL: https://github.com/apache/druid/issues/9873


   ### Description
   
   1. Allow for customizing the membership attribute of an LDAP user.
       In other words, support different attributes than `memberOf` to look a 
user's membership up.
   2. Allow for custom formats of the membership attribute's content. 
       Don't expect a complete DN to be there, but part of it which could be 
extended to a full DN through a pattern or similar.
   
   OR:
   1. Derive the membership the other way round, by looking into group-like 
LDAP objects and examining their `member` attribue.
   
   ### Motivation
   
   Our company's LDAP allows for managing many different software access 
management by employing so-called Tools. Each Tool gets its own subtree where 
all possible authenticatable users are mapped into a subgroup named users. 
Furthermore, there is a subgroup called roles that each Tool admin can use for 
further distinguishing the authorization part. The LDAP objects found hereunder 
comprise their respective members in a `member` attribute. By default, this is 
the source of role/group relationship for a user.
   
   Druid LDAP integration relies on the other way round. Each user must have a 
`memberOf` attribute. For some reasons, this is not generally available in my 
corporate LDAP and must be activated on request for a Tool by leveraging some 
hand-crafted Perl scripts writing the _name of the role only_ into an attribute 
called `o` (they told me it is for the reason of an LDAP schema not supporting 
`memberOf`).
   
   With this approach, there are two differences from the current 
implementation:
   1. The name of the attribute is different
   2. The attribute contains the name of a group, not its full DN
   
   With the original approach, there's just the issue that looking up 
membership is done vice versa, but it might be worthwhile to be supported in 
favor of supporting many different memberOf-scenarios.
   
   Please let me know any ideas, thoughts etc.
   
   Thanks.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to