[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360564#comment-16360564 ]
Peng Xing commented on KYLIN-3197: ---------------------------------- Hi [~Aron.tao], so I think the root cause is that the ldap search function does not support for the case-insensitive conditions, as follows. {code:java} [root@zdh129 ~]# ldapsearch -x -b 'ou=Group,ou=defaultCluster,dc=zdh,dc=com' '(memberUid=wkh)' # extended LDIF # # LDAPv3 # base <ou=Group,ou=defaultCluster,dc=zdh,dc=com> with scope subtree # filter: (memberUid=wkh) # requesting: ALL # # wkhGroup, Group, defaultCluster, zdh.com dn: cn=wkhGroup,ou=Group,ou=defaultCluster,dc=zdh,dc=com objectClass: posixGroup objectClass: top cn: wkhGroup gidNumber: 10000 memberUid: wkh memberUid: wkh1 memberUid: wkh2 memberUid: Wkh5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@zdh129 ~]# ldapsearch -x -b 'ou=Group,ou=defaultCluster,dc=zdh,dc=com' '(memberUid=WKH)' # extended LDIF # # LDAPv3 # base <ou=Group,ou=defaultCluster,dc=zdh,dc=com> with scope subtree # filter: (memberUid=WKH) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 {code} > When ldap is opened, I use an ignored case user to login, the page does not > respond. > ------------------------------------------------------------------------------------ > > Key: KYLIN-3197 > URL: https://issues.apache.org/jira/browse/KYLIN-3197 > Project: Kylin > Issue Type: Bug > Components: Security > Affects Versions: v2.3.0 > Reporter: Peng Xing > Assignee: Peng Xing > Priority: Major > Labels: patch > Fix For: Future > > Attachments: > 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, > image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, > image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, > image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, > image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, > image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png > > > When ldap is opened, I config the kylin.properties, and give wkhGroup the > admin permission. > {code:java} > ## Admin roles in LDAP, for ldap and saml > kylin.security.acl.admin-role=wkhGroup > {code} > then I create a new user named 'wkh' whose group is 'wkhGroup', then I use > '{color:#ff0000}wkh{color}' to login in, which is normal. > But when I use '{color:#ff0000}WKH{color}' to login in, the page does not > respond. > I analyze the backgroud code, and find the function of > 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, > String)' has problem. > When userDn is > "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and > username is "{color:#ff0000}WKH{color}", then authorities will be empty Set > by the follow code: > {code:java} > Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, > username); > {code} > So I have added 'getAdditionalRoles' function to get the authorities again. > I have test the patch, please review, thanks! -- This message was sent by Atlassian JIRA (v7.6.3#76005)