> On Feb. 19, 2017, 10:34 p.m., Selvamohan Neethiraj wrote:
> > Can you please provide little more details on how the manual testing was
> > done. This would be helpful for reviewer ....
>
> Yan Zhou wrote:
> With the fix, the user sync is run ok without the exception after the
> removal of the "short user name" from the "or" logic for the group search,
> leaving only the full DN as the user name for the group search. Before the
> fix, the same search caused the InvalidNameException thrown from the LDAP
> server.
>
> As stated in the Jira, apparently the problem is only with some LDAP
> servers. Using the Apache LDAP server in the Ranger automated user sync test,
> TestLdapUserGroup, the failure can't be reproduced.
>
> Sailaja Polavarapu wrote:
> Hi Yan Zhou,
> Can you please provide some details on the sample schema or ldapsearch
> output of a user and a group on your ldap server? And also, can you provide
> some details on the ldap server? I have an openldap server with posixUser and
> posixGroup accounts and couldn't repro this issue. And also as you mentioned
> the unit test cases use Apache Ldap server and those pass as well.
> Also, one quick feedback on the changes -
> "useShortUserNameInGroupSearch" is set to true only when the groupObjectClass
> is set to posixGroup. This may not be right assumption as there may be a
> possiblility that the groupObjectClass is set to "top" and the group member
> attribute can still be configured with user's short name right?
>
> Thanks,
> Sailaja.
>
> Yan Zhou wrote:
> It is an IBM Tivoli Directory Server 6.4. What other LDAP server details
> do you want to see?
>
> As for the check on "posixGroup", I did some investigation on the
> internet, and it appeared that only this would require a group serach based
> on short user names. And also the test cases introduced in Ranger-893 only
> covers the "posixGroup". Probably we need to have a more accurate condition
> to allow and disallow for group search based on short user names. Any
> suggestions are welcome.
LDAP-related Ranger usersync configs are as follows:
<property>
<name>ranger.usersync.ldap.searchBase</name>
<value>dc=ibm,dc=com</value>
</property>
<property>
<name>ranger.usersync.ldap.url</name>
<value>ldap://bdvm003.svl.ibm.com:1389</value>
</property>
<property>
<name>ranger.usersync.ldap.user.groupnameattribute</name>
<value>memberof, ismemberof</value>
</property>
<property>
<name>ranger.usersync.ldap.user.nameattribute</name>
<value>uid</value>
</property>
<property>
<name>ranger.usersync.ldap.user.objectclass</name>
<value>account</value>
</property>
<property>
<name>ranger.usersync.ldap.user.searchbase</name>
<value>dc=ibm,dc=com</value>
</property>
<property>
<name>ranger.usersync.ldap.user.searchfilter</name>
<value></value>
</property>
<property>
<name>ranger.usersync.ldap.user.searchscope</name>
<value>sub</value>
</property>
<property>
<name>ranger.usersync.ldap.username.caseconversion</name>
<value>none</value>
</property>
- Yan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56829/#review166044
-----------------------------------------------------------
On Feb. 19, 2017, 10:30 p.m., Yan Zhou wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56829/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2017, 10:30 p.m.)
>
>
> Review request for ranger.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Some LDAP servers throw exception on group search on posix user names that
> are not full DNs.
>
>
> Diffs
> -----
>
>
> ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
> 8cf6816
>
> ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
> 070a39b
>
> Diff: https://reviews.apache.org/r/56829/diff/
>
>
> Testing
> -------
>
> Manual
>
>
> Thanks,
>
> Yan Zhou
>
>
