[
https://issues.apache.org/jira/browse/IMPALA-11042?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17455373#comment-17455373
]
ASF subversion and git services commented on IMPALA-11042:
----------------------------------------------------------
Commit 32c224f03d6909f31fd9cb58e31734f74899c15b in impala's branch
refs/heads/master from Tamas Mate
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=32c224f ]
IMPALA-11042: Escape special characters in LDAP filters
The LDAP filter specification assigns special meaning to the following
characters: '*', '(', ')', '\', 'NUL'. These 5 characters should be
represented with their ASCII characters in LDAP filters. (RFC 4516)
Impala allows '{0}' and '{1}' notations, these patterns will be replaced
dynamically during runtime, the '{0}' is replaced with the login
username, while '{1}' is replaced with the DN of the login user. This DN
is obtained through an LDAP Search.
This commit handles the escaping of the dynamically obtained properties
(username/DN) in LDAP filters according to RFC-4516. Impala should be
configured with a properly escaped filters apart from these properties.
Example DN in directory service:
cn=Ldap\, (Test6*),ou=Users2,dc=myorg,dc=com
Example DN used in filter:
cn=Ldap\5C, \28Test6\2A\29,ou=Users2,dc=myorg,dc=com
Testing:
- Added a custom cluster unti test
- Tested the behaviour manually with OpenLDAP and Active Directory
Change-Id: Ic82e8fc0ff8bbe687632db177385f467dd200dbb
Reviewed-on: http://gerrit.cloudera.org:8080/18068
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Special characters are not escaped during LDAP search bind authentication
> -------------------------------------------------------------------------
>
> Key: IMPALA-11042
> URL: https://issues.apache.org/jira/browse/IMPALA-11042
> Project: IMPALA
> Issue Type: Bug
> Components: Security
> Affects Versions: Impala 4.0.0
> Reporter: Tamas Mate
> Assignee: Tamas Mate
> Priority: Major
>
> For search bind authentication during group search {{{{}1{}}}} notation is
> allowed, it represents the user's distinguished name, which is extracted from
> the result of the user search. In certain use-cases this can contain special
> characters, for example this a valid {{dn: cn=Doe\,
> John,ou=Users2,dc=myorg,dc=com}}. This string is then used to create a group
> search filter, however from the client end these characters should be escaped
> properly, without that the following happens:
> {code}
> W1201 15:27:45.801143 32013 ldap-util.cc:196] LDAP search failed with base
> DN=ou=Groups,dc=myorg,dc=com and filter=(uniqueMember=cn=Doe\,
> John,ou=Users2,dc=myorg,dc=com) : Bad search filter
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
