Re: Review Request 47976: LDAP sync cannot handle if the member attribute value is not DN or id
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47976/#review135472 --- Ship it! Ship It! - Daniel Gergely On máj. 27, 2016, 8:14 du, Oliver Szabo wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/47976/ > --- > > (Updated máj. 27, 2016, 8:14 du) > > > Review request for Ambari, Daniel Gergely, Robert Levas, Robert Nettleton, > and Sebastian Toader. > > > Bugs: AMBARI-16875 > https://issues.apache.org/jira/browse/AMBARI-16875 > > > Repository: ambari > > > Description > --- > > In some rare cases, member attribute value for a group/user can be > constructed. (not baseDN/uid, sometimes ldap proxies does that) > > Added 2 feature to fix these problems (to manipulate queries that are used > during sync): > > 2.1.) use regexp to get the useful informations from a custom member > attribute value: (for groups/users) > "authentication.ldap.sync.userMemberReplacePattern" > "authentication.ldap.sync.groupMemberReplacePattern" > > e.g.: > member: ,cn=mycn,dc=org,dc=apache > > then use > authentication.ldap.sync.userMemberReplacePattern=(?.*);(?.*);(?.*) > to get the member group > the result will be cn=mycn,dc=org,dc=apache, which can be used easier in > filters, or like a baseDN. > > 2.) second option the define the queries itself that are used during sync > "authentication.ldap.sync.userMemberFilter" > "authentication.ldap.sync.groupMemberFilter" > > In case you have a specific member information, maybe it wont fit with the > ambari filters, so it might be needed to use a custom filter: > simple example: > authentication.ldap.sync.userMemberFilter=(&(objectclass=posixaccount)(uid={member})) > // here we will replace the member with the member attribute value > > > Diffs > - > > > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java > 0c2fbba > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java > 17432d0 > > ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java > 9a66456 > > ambari-server/src/test/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulatorTest.java > eef91c1 > > Diff: https://reviews.apache.org/r/47976/diff/ > > > Testing > --- > > testing is in progress... > > > Thanks, > > Oliver Szabo > >
Re: Review Request 47976: LDAP sync cannot handle if the member attribute value is not DN or id
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47976/#review135310 --- Ship it! Ship It! - Robert Levas On May 27, 2016, 4:14 p.m., Oliver Szabo wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/47976/ > --- > > (Updated May 27, 2016, 4:14 p.m.) > > > Review request for Ambari, Daniel Gergely, Robert Levas, Robert Nettleton, > and Sebastian Toader. > > > Bugs: AMBARI-16875 > https://issues.apache.org/jira/browse/AMBARI-16875 > > > Repository: ambari > > > Description > --- > > In some rare cases, member attribute value for a group/user can be > constructed. (not baseDN/uid, sometimes ldap proxies does that) > > Added 2 feature to fix these problems (to manipulate queries that are used > during sync): > > 2.1.) use regexp to get the useful informations from a custom member > attribute value: (for groups/users) > "authentication.ldap.sync.userMemberReplacePattern" > "authentication.ldap.sync.groupMemberReplacePattern" > > e.g.: > member: ,cn=mycn,dc=org,dc=apache > > then use > authentication.ldap.sync.userMemberReplacePattern=(?.*);(?.*);(?.*) > to get the member group > the result will be cn=mycn,dc=org,dc=apache, which can be used easier in > filters, or like a baseDN. > > 2.) second option the define the queries itself that are used during sync > "authentication.ldap.sync.userMemberFilter" > "authentication.ldap.sync.groupMemberFilter" > > In case you have a specific member information, maybe it wont fit with the > ambari filters, so it might be needed to use a custom filter: > simple example: > authentication.ldap.sync.userMemberFilter=(&(objectclass=posixaccount)(uid={member})) > // here we will replace the member with the member attribute value > > > Diffs > - > > > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java > 0c2fbba > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java > 17432d0 > > ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java > 9a66456 > > ambari-server/src/test/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulatorTest.java > eef91c1 > > Diff: https://reviews.apache.org/r/47976/diff/ > > > Testing > --- > > testing is in progress... > > > Thanks, > > Oliver Szabo > >
Review Request 47976: LDAP sync cannot handle if the member attribute value is not DN or id
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47976/ --- Review request for Ambari, Daniel Gergely, Robert Levas, Robert Nettleton, and Sebastian Toader. Bugs: AMBARI-16875 https://issues.apache.org/jira/browse/AMBARI-16875 Repository: ambari Description --- In some rare cases, member attribute value for a group/user can be constructed. (not baseDN/uid, sometimes ldap proxies does that) Added 2 feature to fix these problems (to manipulate queries that are used during sync): 2.1.) use regexp to get the useful informations from a custom member attribute value: (for groups/users) "authentication.ldap.sync.userMemberReplacePattern" "authentication.ldap.sync.groupMemberReplacePattern" e.g.: member: ,cn=mycn,dc=org,dc=apache then use authentication.ldap.sync.userMemberReplacePattern=(?.*);(?.*);(?.*) to get the member group the result will be cn=mycn,dc=org,dc=apache, which can be used easier in filters, or like a baseDN. 2.) second option the define the queries itself that are used during sync "authentication.ldap.sync.userMemberFilter" "authentication.ldap.sync.groupMemberFilter" In case you have a specific member information, maybe it wont fit with the ambari filters, so it might be needed to use a custom filter: simple example: authentication.ldap.sync.userMemberFilter=(&(objectclass=posixaccount)(uid={member})) // here we will replace the member with the member attribute value Diffs - ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java 0c2fbba ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java 17432d0 ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java 9a66456 ambari-server/src/test/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulatorTest.java eef91c1 Diff: https://reviews.apache.org/r/47976/diff/ Testing --- testing is in progress... Thanks, Oliver Szabo