[jira] [Commented] (GRIFFIN-207) LDAP auth is not supporting group filters and non-CN login names

Sun, 21 Oct 2018 08:21:29 -0700 


    [ 
https://issues.apache.org/jira/browse/GRIFFIN-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16658260#comment-16658260
 ] 

ASF GitHub Bot commented on GRIFFIN-207:
----------------------------------------

Github user guoyuepeng commented on a diff in the pull request:

    https://github.com/apache/incubator-griffin/pull/441#discussion_r226866655
  
    --- Diff: 
service/src/main/java/org/apache/griffin/core/login/LoginServiceLdapImpl.java 
---
    @@ -48,68 +53,137 @@ Licensed to the Apache Software Foundation (ASF) under 
one
         private String searchBase;
         private String searchPattern;
         private SearchControls searchControls;
    +    private boolean sslSkipVerify;
    +    private String bindDN;
    +    private String bindPassword;
     
         public LoginServiceLdapImpl(String url, String email, String 
searchBase,
    -                                String searchPattern) {
    +                                String searchPattern, boolean 
sslSkipVerify,
    +                                String bindDN, String bindPassword) {
             this.url = url;
             this.email = email;
             this.searchBase = searchBase;
             this.searchPattern = searchPattern;
    +        this.sslSkipVerify = sslSkipVerify;
    +        this.bindDN = bindDN;
    +        this.bindPassword = bindPassword;
             SearchControls searchControls = new SearchControls();
             searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
             this.searchControls = searchControls;
         }
     
         @Override
         public ResponseEntity<Map<String, Object>> login(Map<String, String> 
map) {
    -        String ntAccount = map.get("username");
    +        String username = map.get("username");
    --- End diff --
    
    LGTM.


> LDAP auth is not supporting group filters and non-CN login names
> ----------------------------------------------------------------
>
>                 Key: GRIFFIN-207
>                 URL: https://issues.apache.org/jira/browse/GRIFFIN-207
>             Project: Griffin (Incubating)
>          Issue Type: Bug
>            Reporter: Nikolay Sokolov
>            Assignee: Nikolay Sokolov
>            Priority: Major
>
> Currently LDAP auth performs bind to principal with name 
> "${username}${ldap.email}", and searches through user objects 
> ldap.searchPattern. Result of search then only used to retrieve fullName of 
> the user.
> There are two problems here:
>  * login username can not be different than CN, as it is used to perform LDAP 
> bind
>  * it is not possible to restrict access to specific groups
> Typical approach used in other software products is to use separate bind 
> account, which would search through LDAP objects using search pattern, and 
> then use found object's DN to perform password check.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to