[
https://issues.apache.org/jira/browse/IMPALA-10161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tamas Mate updated IMPALA-10161:
--------------------------------
Description:
Currently Impala only supports simple direct bind mechanism to authenticate a
user. While other components allow the administrators to specify a user search
base dn and an administrator bind dn and bind password to search for the user
under the user search base directory.
This method is especially useful for larger organizations where the directory
structure is wide. Given the following two FQDNs:
{code:java}
uid=alice,ou=Engineering,ou=People,dc=mycompany,dc=com
uid=bob,ou=Accounting,ou=People,dc=mycompany,dc=com
{code}
In case the administrator would like to allow both Engineering and Accounting
users to authenticate neither the ldap_baseDN nor the ldap_bind_pattern
configuration could give the flexibility to authenticate correctly.
* ldap_baseDN takes the configured baseDN and prefixes it with _uid=<userid>_
* ldap_bind_pattern gives the option to specify a pattern with a parameter
such as _user=#UID,OU=foo,CN=bar_
The convenient solution would be to specify a base dn and execute a search
under it instead of prefixing it with uid, because this depends on the LDAP
directory structure.
LDAP search has already been implemented for groups, this should be implemented
for users as well.
The option to configure the group filters with LDAP filters should be added to
the group check as well.
was:
Currently Impala only supports simple direct bind mechanism to authenticate a
user. While other components allow the administrators to specify a user search
base dn and an administrator bind dn and bind password to search for the user
under the user search base directory.
This method is especially useful for larger organizations where the directory
structure is wide. Given the following two FQDNs:
{code:java}
uid=alice,ou=Engineering,ou=People,dc=mycompany,dc=com
uid=bob,ou=Accounting,ou=People,dc=mycompany,dc=com
{code}
In case the administrator would like to allow both Engineering and Accounting
users to authenticate neither the ldap_baseDN nor the ldap_bind_pattern
configuration could give the flexibility to authenticate correctly.
* ldap_baseDN takes the configured baseDN and prefixes it with _uid=<userid>_
* ldap_bind_pattern gives the option to specify a pattern with a parameter
such as _user=#UID,OU=foo,CN=bar_
The convenient solution would be to specify a base dn and execute a search
under it instead of prefixing it with uid, because this depends on the LDAP
directory structure.
LDAP search has already been implemented for groups, this should be implemented
for users as well.
> User LDAP search bind support
> -----------------------------
>
> Key: IMPALA-10161
> URL: https://issues.apache.org/jira/browse/IMPALA-10161
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend, Security
> Affects Versions: Impala 3.4.0
> Reporter: Tamas Mate
> Assignee: Tamas Mate
> Priority: Major
>
> Currently Impala only supports simple direct bind mechanism to authenticate a
> user. While other components allow the administrators to specify a user
> search base dn and an administrator bind dn and bind password to search for
> the user under the user search base directory.
> This method is especially useful for larger organizations where the directory
> structure is wide. Given the following two FQDNs:
> {code:java}
> uid=alice,ou=Engineering,ou=People,dc=mycompany,dc=com
> uid=bob,ou=Accounting,ou=People,dc=mycompany,dc=com
> {code}
> In case the administrator would like to allow both Engineering and Accounting
> users to authenticate neither the ldap_baseDN nor the ldap_bind_pattern
> configuration could give the flexibility to authenticate correctly.
> * ldap_baseDN takes the configured baseDN and prefixes it with _uid=<userid>_
> * ldap_bind_pattern gives the option to specify a pattern with a parameter
> such as _user=#UID,OU=foo,CN=bar_
> The convenient solution would be to specify a base dn and execute a search
> under it instead of prefixing it with uid, because this depends on the LDAP
> directory structure.
> LDAP search has already been implemented for groups, this should be
> implemented for users as well.
> The option to configure the group filters with LDAP filters should be added
> to the group check as well.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
