[ https://issues.apache.org/jira/browse/HADOOP-9477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13643250#comment-13643250 ]
Kai Zheng commented on HADOOP-9477: ----------------------------------- Hi Daryn, Thanks for your comment. For posixGroups, possible procedure can be: userDn = ldap_lookup( (&(objectClass=posixAccount)(uid={0})) ) gidNumberX = userDn.gidNumber groupDn = ldap_lookup((&(objectClass=posixGroup)(gidNumber={0})), gidNumberX ) Then groupDn is the expected group for that user. Note here one user may have more groups. For the member attribute, it can only be used for group like: objectClass: XGroup groupName: testgroup member: user1 member: user2 … For such group the procedure is something like below as current LdapGroupsMapping does: userDn = ... username = userDn.name groupDn = ldap_lookup(((&(objectClass=XGroup)(member={0})), username) Then groupDn is the expected group for that user. As you can see the procedure for posixGroups is different from current implementation. That’s why it requires extra effort. > posixGroups support for LDAP groups mapping service > --------------------------------------------------- > > Key: HADOOP-9477 > URL: https://issues.apache.org/jira/browse/HADOOP-9477 > Project: Hadoop Common > Issue Type: Improvement > Reporter: Kai Zheng > Assignee: Kai Zheng > Fix For: 2.0.5-beta > > Original Estimate: 168h > Remaining Estimate: 168h > > It would be nice to support posixGroups for LdapGroupsMapping service. Below > is from current description for the provider: > hadoop.security.group.mapping.ldap.search.filter.group: > An additional filter to use when searching for LDAP groups. This should be > changed when resolving groups against a non-Active Directory installation. > posixGroups are currently not a supported group class. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira