Review Request 47976: LDAP sync cannot handle if the member attribute value is not DN or id

Fri, 27 May 2016 13:15:12 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47976/
-----------------------------------------------------------

Review request for Ambari, Daniel Gergely, Robert Levas, Robert Nettleton, and 
Sebastian Toader.


Bugs: AMBARI-16875
    https://issues.apache.org/jira/browse/AMBARI-16875


Repository: ambari


Description
-------

In some rare cases, member attribute value for a group/user can be constructed. 
(not baseDN/uid, sometimes ldap proxies does that)

Added 2 feature to fix these problems (to manipulate queries that are used 
during sync):

2.1.) use regexp to get the useful informations from a custom member attribute 
value: (for groups/users)
"authentication.ldap.sync.userMemberReplacePattern"
"authentication.ldap.sync.groupMemberReplacePattern"

e.g.:
member: <SID=..><GUID=...>,cn=mycn,dc=org,dc=apache

then use 
authentication.ldap.sync.userMemberReplacePattern=(?<sid>.*);(?<guid>.*);(?<member>.*)
 to get the member group
the result will be cn=mycn,dc=org,dc=apache, which can be used easier in 
filters, or like a baseDN.

2.) second option the define the queries itself that are used during sync
"authentication.ldap.sync.userMemberFilter"
"authentication.ldap.sync.groupMemberFilter"

In case you have a specific member information, maybe it wont fit with the 
ambari filters, so it might be needed to use a custom filter:
simple example: 
authentication.ldap.sync.userMemberFilter=(&(objectclass=posixaccount)(uid={member}))
 // here we will replace the member with the member attribute value


Diffs
-----

  
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 0c2fbba 
  
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
 17432d0 
  
ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
 9a66456 
  
ambari-server/src/test/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulatorTest.java
 eef91c1 

Diff: https://reviews.apache.org/r/47976/diff/


Testing
-------

testing is in progress...


Thanks,

Oliver Szabo

Reply via email to