[jira] [Created] (IMPALA-10161) User LDAP search bind support

["Tamas Mate (Jira)" <ji...@apache.org>]

Tamas Mate created IMPALA-10161:
-----------------------------------

             Summary: User LDAP search bind support
                 Key: IMPALA-10161
                 URL: https://issues.apache.org/jira/browse/IMPALA-10161
             Project: IMPALA
          Issue Type: Improvement
          Components: Backend, Security
    Affects Versions: Impala 3.4.0
            Reporter: Tamas Mate
            Assignee: Tamas Mate


Currently Impala only supports simple direct bind mechanism to authenticate a user. While other components allow the administrators to specify a user search base dn and an administrator bind dn and bind password to search for the user under the user search base directory.

This method is especially useful for larger organizations where the directory structure is wide. Given the following two FQDNs:
{code:java}
uid=alice,ou=Engineering,ou=People,dc=mycompany,dc=com
uid=bob,ou=Accounting,ou=People,dc=mycompany,dc=com
{code}
In case the administrator would like to allow both Engineering and Accounting users to authenticate neither the ldap_baseDN nor the ldap_bind_pattern configuration could give the flexibility to authenticate correctly.
 * ldap_baseDN takes the configured baseDN and prefixes it with _uid=<userid>_
 * ldap_bind_pattern gives the option to specify a pattern with a parameter such as _user=#UID,OU=foo,CN=bar_

The convenient solution would be to specify a base dn and execute a search under it instead of prefixing it with uid, because this depends on the LDAP directory structure.

LDAP search has already been implemented for groups, this should be implemented for users as well.
  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org