[GitHub] [kyuubi] dev-lpq commented on a diff in pull request #4152: Enhance LDAP authentication

Thu, 06 Apr 2023 00:22:19 -0700 


dev-lpq commented on code in PR #4152:
URL: https://github.com/apache/kyuubi/pull/4152#discussion_r1159383029


##########
kyuubi-common/src/main/scala/org/apache/kyuubi/service/authentication/LdapAuthenticationProviderImpl.scala:
##########
@@ -41,47 +49,72 @@ class LdapAuthenticationProviderImpl(conf: KyuubiConf) 
extends PasswdAuthenticat
    * @throws AuthenticationException When a user is found to be invalid by the 
implementation
    */
   override def authenticate(user: String, password: String): Unit = {
+
+    val (usedBind, bindUser, bindPassword) = (
+      conf.get(KyuubiConf.AUTHENTICATION_LDAP_BIND_USER),
+      conf.get(KyuubiConf.AUTHENTICATION_LDAP_BIND_PASSWORD)) match {
+      case (Some(_bindUser), Some(_bindPw)) => (true, _bindUser, _bindPw)
+      case _ =>
+        // If no bind user or bind password was specified,
+        // we assume the user we are authenticating has the ability to search
+        // the LDAP tree, so we use it as the "binding" account.
+        // This is the way it worked before bind users were allowed in the 
LDAP authenticator,
+        // so we keep existing systems working.
+        (false, user, password)
+    }
+
+    var search: DirSearch = null
+    try {
+      search = createDirSearch(bindUser, bindPassword)
+      applyFilter(search, user)
+      if (usedBind) {
+        // If we used the bind user, then we need to authenticate again,
+        // this time using the full user name we got during the bind process.
+        createDirSearch(search.findUserDn(user), password)

Review Comment:
   @pan3793, I want to support has domain case. Does the authenticate again 
process needs to get the username part in the provided user?  If yes, I will 
create the function `getUserName` and provide a PR.
   `  def getUserName(user: String): String =
       if (LdapUtils.hasDomain(user)) LdapUtils.extractUserName(user) else user`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to