[ https://issues.apache.org/jira/browse/GRIFFIN-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16657663#comment-16657663 ]
ASF GitHub Bot commented on GRIFFIN-207: ---------------------------------------- GitHub user chemikadze opened a pull request: https://github.com/apache/incubator-griffin/pull/441 [GRIFFIN-207] LDAP login service improvements - allow non-CN usernames - allow disabling certificate checks - allow limiting set of login users - improve logging You can merge this pull request into a Git repository by running: $ git pull https://github.com/chemikadze/incubator-griffin GRIFFIN-207 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/incubator-griffin/pull/441.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #441 ---- commit 8e1b56bfd0a458daacdc086190740ccf471d3e2e Author: Nikolay Sokolov <chemikadze@...> Date: 2018-10-20T02:04:20Z [GRIFFIN-207] LDAP login service improvements - allow non-CN usernames - allow disabling certificate checks - allow limiting set of login users - improve logging ---- > LDAP auth is not supporting group filters and non-CN login names > ---------------------------------------------------------------- > > Key: GRIFFIN-207 > URL: https://issues.apache.org/jira/browse/GRIFFIN-207 > Project: Griffin (Incubating) > Issue Type: Bug > Reporter: Nikolay Sokolov > Priority: Major > > Currently LDAP auth performs bind to principal with name > "${username}${ldap.email}", and searches through user objects > ldap.searchPattern. Result of search then only used to retrieve fullName of > the user. > There are two problems here: > * login username can not be different than CN, as it is used to perform LDAP > bind > * it is not possible to restrict access to specific groups > Typical approach used in other software products is to use separate bind > account, which would search through LDAP objects using search pattern, and > then use found object's DN to perform password check. -- This message was sent by Atlassian JIRA (v7.6.3#76005)