You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/05/11 16:16:00 UTC

[jira] [Commented] (IMPALA-10161) User LDAP search bind support

    [ https://issues.apache.org/jira/browse/IMPALA-10161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17342708#comment-17342708 ] 

ASF subversion and git services commented on IMPALA-10161:
----------------------------------------------------------

Commit af0cb594e34b5691b0d00febdd6fa727b74018f6 in impala's branch refs/heads/master from Tamas Mate
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=af0cb59 ]

IMPALA-10653: [DOCS] LDAP configuration option changes

This commit updates the LDAP docs with the new flag changes introduced
mainly in IMPALA-2563 and IMPALA-10161.

Change-Id: Ic82c5dcd46fbd09264ae9a85d65e4044b6576800
Reviewed-on: http://gerrit.cloudera.org:8080/17403
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Reviewed-by: Csaba Ringhofer <cs...@cloudera.com>


> User LDAP search bind support
> -----------------------------
>
>                 Key: IMPALA-10161
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10161
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Backend, Security
>    Affects Versions: Impala 3.4.0
>            Reporter: Tamas Mate
>            Assignee: Tamas Mate
>            Priority: Major
>             Fix For: Impala 4.0
>
>
> Currently Impala only supports simple direct bind mechanism to authenticate a user. While other components allow the administrators to specify a user search base dn and an administrator bind dn and bind password to search for the user under the user search base directory.
> This method is especially useful for larger organizations where the directory structure is wide. Given the following two FQDNs:
> {code:java}
> uid=alice,ou=Engineering,ou=People,dc=mycompany,dc=com
> uid=bob,ou=Accounting,ou=People,dc=mycompany,dc=com
> {code}
> In case the administrator would like to allow both Engineering and Accounting users to authenticate neither the ldap_baseDN nor the ldap_bind_pattern configuration could give the flexibility to authenticate correctly.
>  * ldap_baseDN takes the configured baseDN and prefixes it with _uid=<userid>_
>  * ldap_bind_pattern gives the option to specify a pattern with a parameter such as _user=#UID,OU=foo,CN=bar_
> The convenient solution would be to specify a base dn and execute a search under it instead of prefixing it with uid, because this depends on the LDAP directory structure.
> LDAP search has already been implemented for groups, this should be implemented for users as well.
> The option to configure the group filters with LDAP filters should be added to the group check as well.
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org