handavid opened a new pull request, #1274: URL: https://github.com/apache/knox/pull/1274
(It is very **important** that you created an Apache Knox JIRA for this change and that the PR title/commit message includes the Apache Knox JIRA ID!) [KNOX-3341](https://issues.apache.org/jira/browse/KNOX-3341) - LDAP Proxy handles general search requests ## What changes were proposed in this pull request? This commit improves the behavior of the LdapProxyBackend to handle broader search requests such as retrieving all users, all groups, or filtering by attributes other than uid. A "search" method was added to the LdapBackend interface to support broader search requests. LdapProxyBackend implements this method by converting the search base, objectclass, and user identifier attribute from proxy values to values recognized by the remote LDAP backend. LdapProxyBackend.createProxyEntry was factored out into a new RemoteSchemaConverter class. This class also contains methods for converting the search filter and DNs. The conversions in the search filter are further supported by a new FilterMappingVisitor class which will traverse the ExprNode tree and replace values as needed. Result entries are likewise converted from the remote values to the proxy values. As part of the mapping, the AD 'userAccountControl' attribute type is mapped into the 'nsAccountLock' attribute type. A new DisabledUserInterceptor is implemented to perform this conversion. This interceptor can also be configured to remove disabled entries from the results. Group membership retrieval is modified to use 'getUserGroupEntries' as a common starting point then branch into separate codepaths for using 'memberOf' or not. FileBackend simply maps the filter back into user search. ## How was this patch tested? Unit tests were added. The new features were manually exercised using commands such as: ``` ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com' '(&(objectclass=inetorgperson)(uid=test*))' ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=groups,DC=proxy,DC=com' '(objectclass=groupofnames)' ``` ## Integration Tests (Please add or update integration tests [`.github/workflows/tests`](.github/workflows/tests) for the feature you are adding. If no unit test is added, please explain why. Check out [`.github/workflows/tests/README.md`](./workflows/tests/README.md) for instructions) ## UI changes no UI changes Please review [Knox Contributing Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow) before opening a pull request. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
