[
https://issues.apache.org/jira/browse/KNOX-3341?focusedWorklogId=1026103&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1026103
]
ASF GitHub Bot logged work on KNOX-3341:
----------------------------------------
Author: ASF GitHub Bot
Created on: 21/Jun/26 00:19
Start Date: 21/Jun/26 00:19
Worklog Time Spent: 10m
Work Description: handavid opened a new pull request, #1274:
URL: https://github.com/apache/knox/pull/1274
(It is very **important** that you created an Apache Knox JIRA for this
change and that the PR title/commit message includes the Apache Knox JIRA ID!)
[KNOX-3341](https://issues.apache.org/jira/browse/KNOX-3341) - LDAP Proxy
handles general search requests
## What changes were proposed in this pull request?
This commit improves the behavior of the LdapProxyBackend to handle broader
search requests such as retrieving all users, all groups, or filtering by
attributes other than uid.
A "search" method was added to the LdapBackend interface to support broader
search requests.
LdapProxyBackend implements this method by converting the search base,
objectclass, and user identifier attribute from proxy values to values
recognized by the remote LDAP backend. LdapProxyBackend.createProxyEntry was
factored out into a new RemoteSchemaConverter class. This class also contains
methods for converting the search filter and DNs. The conversions in the search
filter are further supported by a new FilterMappingVisitor class which will
traverse the ExprNode tree and replace values as needed.
Result entries are likewise converted from the remote values to the proxy
values. As part of the mapping, the AD 'userAccountControl' attribute type is
mapped into the 'nsAccountLock' attribute type. A new DisabledUserInterceptor
is implemented to perform this conversion. This interceptor can also be
configured to remove disabled entries from the results.
Group membership retrieval is modified to use 'getUserGroupEntries' as a
common starting point then branch into separate codepaths for using 'memberOf'
or not.
FileBackend simply maps the filter back into user search.
## How was this patch tested?
Unit tests were added.
The new features were manually exercised using commands such as:
```
ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com'
'(&(objectclass=inetorgperson)(uid=test*))'
ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=groups,DC=proxy,DC=com'
'(objectclass=groupofnames)'
```
## Integration Tests
(Please add or update integration tests
[`.github/workflows/tests`](.github/workflows/tests) for the feature you are
adding. If no unit test is added, please explain why. Check out
[`.github/workflows/tests/README.md`](./workflows/tests/README.md) for
instructions)
## UI changes
no UI changes
Please review [Knox Contributing
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
before opening a pull request.
Issue Time Tracking
-------------------
Worklog Id: (was: 1026103)
Remaining Estimate: 0h
Time Spent: 10m
> Enhance LDAP Proxy to support more general search parameters
> ------------------------------------------------------------
>
> Key: KNOX-3341
> URL: https://issues.apache.org/jira/browse/KNOX-3341
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: David Han
> Assignee: David Han
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> LDAP search with the LDAP Proxy is focused around user retrieval based on
> uid. This should be enhanced to better support the search filter and returned
> attribute parameters commonly used in LDAP search.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
