[
https://issues.apache.org/jira/browse/GRIFFIN-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16658262#comment-16658262
]
ASF GitHub Bot commented on GRIFFIN-207:
----------------------------------------
Github user guoyuepeng commented on a diff in the pull request:
https://github.com/apache/incubator-griffin/pull/441#discussion_r226866713
--- Diff:
service/src/main/java/org/apache/griffin/core/login/LoginServiceLdapImpl.java
---
@@ -48,68 +53,137 @@ Licensed to the Apache Software Foundation (ASF) under
one
private String searchBase;
private String searchPattern;
private SearchControls searchControls;
+ private boolean sslSkipVerify;
+ private String bindDN;
+ private String bindPassword;
public LoginServiceLdapImpl(String url, String email, String
searchBase,
- String searchPattern) {
+ String searchPattern, boolean
sslSkipVerify,
+ String bindDN, String bindPassword) {
this.url = url;
this.email = email;
this.searchBase = searchBase;
this.searchPattern = searchPattern;
+ this.sslSkipVerify = sslSkipVerify;
+ this.bindDN = bindDN;
+ this.bindPassword = bindPassword;
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
this.searchControls = searchControls;
}
@Override
public ResponseEntity<Map<String, Object>> login(Map<String, String>
map) {
- String ntAccount = map.get("username");
+ String username = map.get("username");
String password = map.get("password");
- String searchFilter = searchPattern.replace("{0}", ntAccount);
+
+ // use separate bind credentials, if bindDN is provided
+ String bindAccount = StringUtils.isEmpty(this.bindDN) ? username :
this.bindDN;
+ String bindPassword = StringUtils.isEmpty(this.bindDN) ? password
: this.bindPassword;
+ String searchFilter = searchPattern.replace("{0}", username);
+ LdapContext ctx = null;
try {
- LdapContext ctx = getContextInstance(ntAccount, password);
+ ctx = getContextInstance(toPrincipal(bindAccount),
bindPassword);
+
NamingEnumeration<SearchResult> results =
ctx.search(searchBase,
searchFilter, searchControls);
- String fullName = getFullName(results, ntAccount);
+ SearchResult userObject = getSingleUser(results);
+
+ // verify password if different bind user is used
+ if (!StringUtils.equals(username, bindAccount)) {
+ String userDN = getAttributeValue(userObject,
"distinguishedName", toPrincipal(username));
+ checkPassword(userDN, password);
+ }
+
Map<String, Object> message = new HashMap<>();
- message.put("ntAccount", ntAccount);
- message.put("fullName", fullName);
+ message.put("ntAccount", username);
+ message.put("fullName", getFullName(userObject, username));
message.put("status", 0);
return new ResponseEntity<>(message, HttpStatus.OK);
- } catch (NamingException e) {
- LOGGER.warn("User {} failed to login with LDAP auth. {}",
ntAccount,
+ } catch (AuthenticationException e) {
+ LOGGER.warn("User {} failed to login with LDAP auth. {}",
username,
e.getMessage());
+ } catch (NamingException e) {
+ LOGGER.warn(String.format("User %s failed to login with LDAP
auth.", username), e);
+ } finally {
--- End diff --
LGTM
> LDAP auth is not supporting group filters and non-CN login names
> ----------------------------------------------------------------
>
> Key: GRIFFIN-207
> URL: https://issues.apache.org/jira/browse/GRIFFIN-207
> Project: Griffin (Incubating)
> Issue Type: Bug
> Reporter: Nikolay Sokolov
> Assignee: Nikolay Sokolov
> Priority: Major
>
> Currently LDAP auth performs bind to principal with name
> "${username}${ldap.email}", and searches through user objects
> ldap.searchPattern. Result of search then only used to retrieve fullName of
> the user.
> There are two problems here:
> * login username can not be different than CN, as it is used to perform LDAP
> bind
> * it is not possible to restrict access to specific groups
> Typical approach used in other software products is to use separate bind
> account, which would search through LDAP objects using search pattern, and
> then use found object's DN to perform password check.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
