[ https://issues.apache.org/jira/browse/GRIFFIN-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16658260#comment-16658260 ]
ASF GitHub Bot commented on GRIFFIN-207: ---------------------------------------- Github user guoyuepeng commented on a diff in the pull request: https://github.com/apache/incubator-griffin/pull/441#discussion_r226866655 --- Diff: service/src/main/java/org/apache/griffin/core/login/LoginServiceLdapImpl.java --- @@ -48,68 +53,137 @@ Licensed to the Apache Software Foundation (ASF) under one private String searchBase; private String searchPattern; private SearchControls searchControls; + private boolean sslSkipVerify; + private String bindDN; + private String bindPassword; public LoginServiceLdapImpl(String url, String email, String searchBase, - String searchPattern) { + String searchPattern, boolean sslSkipVerify, + String bindDN, String bindPassword) { this.url = url; this.email = email; this.searchBase = searchBase; this.searchPattern = searchPattern; + this.sslSkipVerify = sslSkipVerify; + this.bindDN = bindDN; + this.bindPassword = bindPassword; SearchControls searchControls = new SearchControls(); searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); this.searchControls = searchControls; } @Override public ResponseEntity<Map<String, Object>> login(Map<String, String> map) { - String ntAccount = map.get("username"); + String username = map.get("username"); --- End diff -- LGTM. > LDAP auth is not supporting group filters and non-CN login names > ---------------------------------------------------------------- > > Key: GRIFFIN-207 > URL: https://issues.apache.org/jira/browse/GRIFFIN-207 > Project: Griffin (Incubating) > Issue Type: Bug > Reporter: Nikolay Sokolov > Assignee: Nikolay Sokolov > Priority: Major > > Currently LDAP auth performs bind to principal with name > "${username}${ldap.email}", and searches through user objects > ldap.searchPattern. Result of search then only used to retrieve fullName of > the user. > There are two problems here: > * login username can not be different than CN, as it is used to perform LDAP > bind > * it is not possible to restrict access to specific groups > Typical approach used in other software products is to use separate bind > account, which would search through LDAP objects using search pattern, and > then use found object's DN to perform password check. -- This message was sent by Atlassian JIRA (v7.6.3#76005)