[
https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16383115#comment-16383115
]
Peng Xing commented on KYLIN-3197:
----------------------------------
Hi [~Aron.tao], I was so busy before, so I began to reanalyze this issue
yesterday.
Currently, I find out the deep reason why we cannot fetch the group by case
ignore username, this is caused by the default configuration of OpenLDAP, that
is file 'nis.schema', you can see the detail configuration of attribute
'memberUid' as follows.
{code:java}
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
{code}
The 'caseExactIA5Match' and 'caseExactIA5SubstringsMatch' show that the
attribute 'memberUid' must be case sensitive. when I change them to
'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch', then rebuild the
directory 'slapd.d', then restart the service slapd, it will be ok, we can use
username 'WKH' to fetch the group 'wkhGroup', although the fact username should
be 'wkh'.
But we should modify the default configuration of OpenLDAP, which is not good
and suitable way for us, we should find a way for default OpenLDAP. So from
aspect of default OpenLDAP and spring security, this problem cannot be solved,
then we should modify the kylin code.
So I still maintain my previous method, what is about your suggestion? Thanks!
> When ldap is opened, I use an ignored case user to login, the page does not
> respond.
> ------------------------------------------------------------------------------------
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
> Affects Versions: v2.3.0
> Reporter: Peng Xing
> Assignee: Peng Xing
> Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments:
> 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch,
> image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png,
> image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png,
> image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png,
> image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png,
> image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the
> admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use
> '{color:#ff0000}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff0000}WKH{color}' to login in, the page does not
> respond.
> I analyze the backgroud code, and find the function of
> 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String,
> String)' has problem.
> When userDn is
> "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and
> username is "{color:#ff0000}WKH{color}", then authorities will be empty Set
> by the follow code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn,
> username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
