[
https://issues.apache.org/jira/browse/SHIRO-631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16095993#comment-16095993
]
Hari Sekhon commented on SHIRO-631:
-----------------------------------
[~bdemers] It's possible that in an Active Directory forest with different
domains, different people may end up having the same short user name in each of
their own domains, eg. there may be a johnsmith user in each domain. When
querying via the global catalog and having both users DOMAIN1\johnsmith and
DOMAIN2\johnsmith or [email protected] and [email protected], usage of
the short username is a common will result in a collision of both users being
just 'johnsmith', and this could accidentally expose data permissions too as
authorization mechanisms will just look at the username to compare to the
permissions tables.
So authentication integration mechanisms need to be able to differentiate,
either by using [email protected] vs [email protected] but this can cause issues
where the dependent technology may not permit symbols like @, or may require
filesystem home directories which will either not work or be messy looking.
If you have the ability to remap users based on a rule scheme like Hadoop's
auth_to_local then you can handle this flexibly by translating or munging the
user shortname based on the domain without having to use the AD UPN such as
[email protected], by adding prefixes/suffixes or converting characters
that would otherwise be invalid to the top level technology by regex validation
or characters not permitted in a filesystem path.
> Principal mapping rules similar to Hadoop's auth_to_local
> ---------------------------------------------------------
>
> Key: SHIRO-631
> URL: https://issues.apache.org/jira/browse/SHIRO-631
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Authorization (access control)
> , Realms
> Environment: HDP 2.6 + Kerberos + AD LDAP multi-domain forest
> Reporter: Hari Sekhon
> Priority: Blocker
>
> Feature Request to add principal mapping rules similar to Hadoop's
> auth_to_local.
> This will allow munging pincipals and rule based remappings to differentiate
> duplicate users in multi-domain Active Directory forests where the LDAP
> results returned from the global catalog include duplicate usernames which
> need to be translated with a prefix/suffix in order to differentiate between
> domains to prevent users from different domains sharing logins, permissions
> etc.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
