[jira] [Updated] (AMBARI-15554) Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user

Thu, 24 Mar 2016 06:24:14 -0700 

     [ 
https://issues.apache.org/jira/browse/AMBARI-15554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sebastian Toader updated AMBARI-15554:
--------------------------------------
    Status: Patch Available  (was: In Progress)

> Ambari LDAP integration cannot handle LDAP directories with multiple entries 
> for the same user
> ----------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-15554
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15554
>             Project: Ambari
>          Issue Type: New Feature
>          Components: ambari-server, ambari-web
>    Affects Versions: 2.1.1
>            Reporter: Sebastian Toader
>            Assignee: Sebastian Toader
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-15554.v1.patch
>
>
> *Problem:*
> In case LDAP set up with multiple Domains which are joined into a Forrest 
> with trusts between the different Domains  users may appear in different 
> locations in  LDAP.
> Since users who wants to access Ambari can be in any domain Ambari has to 
> search the whole forrest, and as the users appearing in multiple domains are 
> identical Ambari cannot filter out all but one of the user entries.
> This leads to the following error message when they try to login to Ambari 
> with one of the users that has multiple entries:
> {code}
> ServletHandler:563 - /api/v1/users/USERNAME 
> org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect 
> result size: expected 1, actual 2 
> at 
> org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:243)
>  
> at 
> org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198)
>  
> at 
> org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807)
>  
> at 
> org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793)
>  
> at 
> org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196)
>  
> at 
> org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116)
>  
> at 
> org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:90)
>  
> at 
> org.apache.ambari.server.security.authorization.AmbariLdapBindAuthenticator.authenticate(AmbariLdapBindAuthenticator.java:53)
>  
> at 
> org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178)
>  
> at 
> org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
>  
> at 
> org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider.authenticate(AmbariLdapAuthenticationProvider.java:60)
>  
> at 
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
>  
> at 
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
>  
> at 
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
>  
> at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>  
> at 
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>  
> at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>  
> at 
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
>  
> at 
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
>  
> at 
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
>  
> at 
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
>  
> at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
>  
> at 
> org.apache.ambari.server.api.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:72)
>  
> at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
>  
> at 
> org.apache.ambari.server.api.AmbariPersistFilter.doFilter(AmbariPersistFilter.java:47)
>  
> at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
>  
> at 
> org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82) 
> at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:294) 
> at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467)
>  
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) 
> at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) 
> at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557) 
> at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
>  
> at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
>  
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) 
> at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
>  
> at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
>  
> at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) 
> at 
> org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:209)
>  
> at 
> org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:198)
>  
> at 
> org.apache.ambari.server.controller.AmbariHandlerList.handle(AmbariHandlerList.java:132)
>  
> at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
>  
> at org.eclipse.jetty.server.Server.handle(Server.java:370) 
> at 
> org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
>  
> at 
> org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971)
>  
> at 
> org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033)
>  
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) 
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) 
> at 
> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>  
> at 
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>  
> at 
> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>  
> at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>  
> at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>  
> at java.lang.Thread.run(Thread.java:745)
> {code}
> *Solution:*
> If the LDAP search upon login to Ambari leads to multiple match user match 
> due to the user appears in multiple domains show an error message to user 
> prompting for providing domain as well to log-in. (e.g. _Login Failed: Please 
> append your domain to your username and try again. Example: username@domain_)
> When user provides domain information at login as well Ambari looks up the 
> user in LDAP using different filter which is configurable. If this 
> configuration is not set Ambari defaults to filter by _userPrincipalName_



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to