[jira] [Created] (AMBARI-15554) Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

Thu, 24 Mar 2016 01:03:04 -0700 

Sebastian Toader created AMBARI-15554:
-----------------------------------------

             Summary: Ambari LDAP integration cannot handle LDAP directories 
with multiple entries for the same user
                 Key: AMBARI-15554
                 URL: https://issues.apache.org/jira/browse/AMBARI-15554
             Project: Ambari
          Issue Type: New Feature
          Components: ambari-server, ambari-web
    Affects Versions: 2.1.1
            Reporter: Sebastian Toader
            Assignee: Sebastian Toader
             Fix For: 2.4.0


*Problem:*
In case LDAP set up with multiple Domains which are joined into a Forrest with 
trusts between the different Domains  users may appear in different locations 
in  LDAP.

Since users who wants to access Ambari can be in any domain Ambari has to 
search the whole forrest, and as the users appearing in multiple domains are 
identical Ambari cannot filter out all but one of the user entries.

This leads to the following error message when they try to login to Ambari with 
one of the users that has multiple entries:
{code}
ServletHandler:563 - /api/v1/users/USERNAME 
org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect 
result size: expected 1, actual 2 
at 
org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:243)
 
at 
org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198)
 
at 
org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807)
 
at 
org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793)
 
at 
org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196)
 
at 
org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116)
 
at 
org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:90)
 
at 
org.apache.ambari.server.security.authorization.AmbariLdapBindAuthenticator.authenticate(AmbariLdapBindAuthenticator.java:53)
 
at 
org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178)
 
at 
org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
 
at 
org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider.authenticate(AmbariLdapAuthenticationProvider.java:60)
 
at 
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
 
at 
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
 
at 
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
 
at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
 
at 
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
 
at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
 
at 
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
 
at 
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
 
at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
 
at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
 
at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
 
at 
org.apache.ambari.server.api.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:72)
 
at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
 
at 
org.apache.ambari.server.api.AmbariPersistFilter.doFilter(AmbariPersistFilter.java:47)
 
at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
 
at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82) 
at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:294) 
at 
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
 
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) 
at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) 
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557) 
at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
 
at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
 
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) 
at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
 
at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
 
at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) 
at 
org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:209)
 
at 
org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:198)
 
at 
org.apache.ambari.server.controller.AmbariHandlerList.handle(AmbariHandlerList.java:132)
 
at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) 
at org.eclipse.jetty.server.Server.handle(Server.java:370) 
at 
org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
 
at 
org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971)
 
at 
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033)
 
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) 
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) 
at 
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
 
at 
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
 
at 
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
 
at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
 
at 
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) 
at java.lang.Thread.run(Thread.java:745)
{code}

*Solution:*
If the LDAP search upon login to Ambari leads to multiple match user match due 
to the user appears in multiple domains show an error message to user prompting 
for providing domain as well to log-in. (e.g. _Login Failed: Please append your 
domain to your username and try again. Example: username@domain_)

When user provides domain information at login as well Ambari looks up the user 
in LDAP using different filter which is configurable. If this configuration is 
not set Ambari defaults to filter by _userPrincipalName_



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to