[jira] [Commented] (HADOOP-15322) LDAPGroupMapping search tree base improvement

Sat, 17 Mar 2018 09:35:53 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-15322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16403531#comment-16403531
 ] 

Ganesh commented on HADOOP-15322:
---------------------------------


Looking through the code:

..
String LDAP_CONFIG_PREFIX = "hadoop.security.group.mapping.ldap";
String BASE_DN_KEY = LDAP_CONFIG_PREFIX + ".base";

baseDN = conf.get(BASE_DN_KEY, BASE_DN_DEFAULT);
..
and this baseDN is used in search for posixAccount and posixGroup .

..
NamingEnumeration<SearchResult> results = ctx.search(baseDN,
        userSearchFilter,
        new Object[]{user},
        SEARCH_CONTROLS);
..
groupResults =
              ctx.search(baseDN,
                  "(&"+ groupSearchFilter + "(|(" + posixGidAttr + "={0})" +
                      "(" + groupMemberAttr + "={1})))",
                  new Object[] { gidNumber, uidNumber },
                  SEARCH_CONTROLS);


Because the same baseDN is used in the the search, we are forced to set the 
search base of the ldap tree from dc=XX,dc=YY,dc=ZZ. This is generally not a 
problem. But most ldap servers have a limit on the number of entries returned 
in the search result(usually 2K to 10K) as a measure to prevent DDoS. 

If we can add 2 keys something  like
{code}
hadoop.security.group.mapping.ldap.base.user
hadoop.security.group.mapping.ldap.base.group
{code}

Then we could use valueof 'hadoop.security.group.mapping.ldap.base.user' to 
search posixAccount and
use valueof 'hadoop.security.group.mapping.ldap.base.group' to search for 
posixGroup and avoid searching a larger tree rooted from dc=XX,dc=YY,dc=ZZ . 
This would also help minimize the number of entries returned in the search 
result. 

(ofcourse another option is to use paged search result support)

> LDAPGroupMapping search tree base improvement
> ---------------------------------------------
>
>                 Key: HADOOP-15322
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15322
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: common
>    Affects Versions: 2.7.4
>            Reporter: Ganesh
>            Priority: Major
>             Fix For: 2.7.6
>
>
> Currently the same ldap base is used for searching posixAccount and 
> posixGroup. This request is to make a separate base for each container (ie 
> posixAccount and posixGroup container)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to