[ https://issues.apache.org/jira/browse/HADOOP-15322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16403531#comment-16403531 ]
Ganesh commented on HADOOP-15322: --------------------------------- Looking through the code: .. String LDAP_CONFIG_PREFIX = "hadoop.security.group.mapping.ldap"; String BASE_DN_KEY = LDAP_CONFIG_PREFIX + ".base"; baseDN = conf.get(BASE_DN_KEY, BASE_DN_DEFAULT); .. and this baseDN is used in search for posixAccount and posixGroup . .. NamingEnumeration<SearchResult> results = ctx.search(baseDN, userSearchFilter, new Object[]{user}, SEARCH_CONTROLS); .. groupResults = ctx.search(baseDN, "(&"+ groupSearchFilter + "(|(" + posixGidAttr + "={0})" + "(" + groupMemberAttr + "={1})))", new Object[] { gidNumber, uidNumber }, SEARCH_CONTROLS); Because the same baseDN is used in the the search, we are forced to set the search base of the ldap tree from dc=XX,dc=YY,dc=ZZ. This is generally not a problem. But most ldap servers have a limit on the number of entries returned in the search result(usually 2K to 10K) as a measure to prevent DDoS. If we can add 2 keys something like {code} hadoop.security.group.mapping.ldap.base.user hadoop.security.group.mapping.ldap.base.group {code} Then we could use valueof 'hadoop.security.group.mapping.ldap.base.user' to search posixAccount and use valueof 'hadoop.security.group.mapping.ldap.base.group' to search for posixGroup and avoid searching a larger tree rooted from dc=XX,dc=YY,dc=ZZ . This would also help minimize the number of entries returned in the search result. (ofcourse another option is to use paged search result support) > LDAPGroupMapping search tree base improvement > --------------------------------------------- > > Key: HADOOP-15322 > URL: https://issues.apache.org/jira/browse/HADOOP-15322 > Project: Hadoop Common > Issue Type: Improvement > Components: common > Affects Versions: 2.7.4 > Reporter: Ganesh > Priority: Major > Fix For: 2.7.6 > > > Currently the same ldap base is used for searching posixAccount and > posixGroup. This request is to make a separate base for each container (ie > posixAccount and posixGroup container) -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org