[jira] [Commented] (GRIFFIN-207) LDAP auth is not supporting group filters and non-CN login names

Fri, 19 Oct 2018 19:08:08 -0700 


    [ 
https://issues.apache.org/jira/browse/GRIFFIN-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16657663#comment-16657663
 ] 

ASF GitHub Bot commented on GRIFFIN-207:
----------------------------------------

GitHub user chemikadze opened a pull request:

    https://github.com/apache/incubator-griffin/pull/441

    [GRIFFIN-207] LDAP login service improvements

      - allow non-CN usernames
      - allow disabling certificate checks
      - allow limiting set of login users
      - improve logging

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/chemikadze/incubator-griffin GRIFFIN-207

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-griffin/pull/441.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #441
    
----
commit 8e1b56bfd0a458daacdc086190740ccf471d3e2e
Author: Nikolay Sokolov <chemikadze@...>
Date:   2018-10-20T02:04:20Z

    [GRIFFIN-207] LDAP login service improvements
    
      - allow non-CN usernames
      - allow disabling certificate checks
      - allow limiting set of login users
      - improve logging

----


> LDAP auth is not supporting group filters and non-CN login names
> ----------------------------------------------------------------
>
>                 Key: GRIFFIN-207
>                 URL: https://issues.apache.org/jira/browse/GRIFFIN-207
>             Project: Griffin (Incubating)
>          Issue Type: Bug
>            Reporter: Nikolay Sokolov
>            Priority: Major
>
> Currently LDAP auth performs bind to principal with name 
> "${username}${ldap.email}", and searches through user objects 
> ldap.searchPattern. Result of search then only used to retrieve fullName of 
> the user.
> There are two problems here:
>  * login username can not be different than CN, as it is used to perform LDAP 
> bind
>  * it is not possible to restrict access to specific groups
> Typical approach used in other software products is to use separate bind 
> account, which would search through LDAP objects using search pattern, and 
> then use found object's DN to perform password check.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to