[GitHub] [incubator-kyuubi] turboFei commented on a diff in pull request #3213: [KYUUBI #3020] kyuubi ldap add new config property kyuubi.authentication.ldap.bindnpw and kyuubi.authentication.ldap.attrs

Mon, 15 Aug 2022 22:15:56 -0700 


turboFei commented on code in PR #3213:
URL: https://github.com/apache/incubator-kyuubi/pull/3213#discussion_r946343795


##########
kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala:
##########
@@ -58,28 +59,65 @@ class LdapAuthenticationProviderImpl(conf: KyuubiConf) 
extends PasswdAuthenticat
     conf.get(AUTHENTICATION_LDAP_URL).foreach(env.put(Context.PROVIDER_URL, _))
 
     val domain = conf.get(AUTHENTICATION_LDAP_DOMAIN)
-    val u =
-      if (!hasDomain(user) && domain.nonEmpty) {
-        user + "@" + domain.get
-      } else {
-        user
-      }
-
+    val mail = getMail(user, domain.get)
     val guidKey = conf.get(AUTHENTICATION_LDAP_GUIDKEY)
-    val bindDn = conf.get(AUTHENTICATION_LDAP_BASEDN) match {
-      case Some(dn) => guidKey + "=" + u + "," + dn
-      case _ => u
-    }
-
-    env.put(Context.SECURITY_PRINCIPAL, bindDn)
-    env.put(Context.SECURITY_CREDENTIALS, password)
+    val baseDn = conf.get(AUTHENTICATION_LDAP_BASEDN).get
+    val bindnPw = conf.get(AUTHENTICATION_LDAP_PASSWORD).get
+    val attrs = conf.get(AUTHENTICATION_LDAP_ATTRIBUTES).toArray
 
+    env.put(Context.SECURITY_PRINCIPAL, guidKey)
+    env.put(Context.SECURITY_CREDENTIALS, bindnPw)
+    import javax.naming.NamingEnumeration
+    var nameEnuResults: NamingEnumeration[SearchResult] = null
     try {
-      val ctx = new InitialDirContext(env)
-      ctx.close()
+      val ctx = new InitialLdapContext(env, null)
+      val sc = new SearchControls
+      sc.setReturningAttributes(attrs)
+      sc.setSearchScope(SearchControls.SUBTREE_SCOPE)
+      val searchFilter = String.format("(%s=%s)", "mail", mail)
+      nameEnuResults = ctx.search(baseDn, searchFilter, sc)
     } catch {
       case e: NamingException =>
-        throw new AuthenticationException(s"Error validating LDAP user: 
$bindDn", e)
+        throw new AuthenticationException(
+          s"LDAP InitialLdapContext failed, LDAP user: $user, " +
+            s"Error validating LDAP baseDn: $baseDn",
+          e)
+    }
+    if (nameEnuResults != null && nameEnuResults.hasMore) {
+      try {
+        val searchResult = nameEnuResults.next
+        val attrs = searchResult.getAttributes.getAll
+        if (!attrs.hasMore) {
+          throw new AuthenticationException(
+            s"LDAP attributes are empty, please check config " +
+              s"kyuubi.authentication.ldap.attrs, LDAP user: $user.")

Review Comment:
   using `AUTHENTICATION_LDAP_ATTRIBUTES.key` instead 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to