You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2019/01/23 15:36:00 UTC

[jira] [Commented] (AIRFLOW-3751) LDAP - Malformed Schema

    [ https://issues.apache.org/jira/browse/AIRFLOW-3751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16750140#comment-16750140 ] 

ASF GitHub Bot commented on AIRFLOW-3751:
-----------------------------------------

colin-streicher commented on pull request #4574: [AIRFLOW-3751] Ignore malformed ldap schema option
URL: https://github.com/apache/airflow/pull/4574
 
 
   ### Jira
   
   This PR addresses the following [Airflow Jira](https://issues.apache.org/jira/browse/AIRFLOW-3751/) issues and references them in the PR title.
   
   ### Description
   
   This change includes a configuration option to allow ldap authentication to use ldap services that may not return schemas or return invalid ones. To allow malformed schemas, the configuration value of ignore_malformed_schema is added as a boolean. The default is the current behaviour.
   
   ### Tests
   
   - The changes introduced by this PR are covered by existing unit tests.
   
   
   ### Code Quality
   
   Passes `flake8`
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> LDAP - Malformed Schema
> -----------------------
>
>                 Key: AIRFLOW-3751
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3751
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>    Affects Versions: 1.10.1
>            Reporter: Colin Streicher
>            Assignee: Colin Streicher
>            Priority: Minor
>
> This issue only appears to happen when using an LDAP server from which schema is not available. This came up specifically when using Foxpass, but my assumption is that this sort of thing is likely to happen for any LDAP as a Service offering.
> Essentially, the issue is that the default setting for the ldap3 library is to try to pull the schema from the server. From a normal ldap server, this is just a call with a baseDN of '', however because of security concerns(presumably), services like foxpass do not return anything when the basedn is set to nothing.
> When the basedn is set to the normal search dn, there are no schema objects returned. Since the get_info parameter in the Server() call validates the schema by default, the call fails.
> In terms of fixing, this is pretty simple, adding a parameter that reflects the setting in ldap3 that ignores this fixes the issue handily.
> In my dev environment, I made the following changes to ldap_auth.py
> {code:java}
> import ldap3
> ...
> def get_ldap_connection(dn=None, password=None):
> ...
> try:
>     ignore_malformed_schema = configuration.conf.get("ldap", "ignore_malformed_schema")
> except AirflowConfigException:
>     pass
> if ignore_malformed_schema:
>     ldap3.set_config_parameter('IGNORE_MALFORMED_SCHEMA',ignore_malformed_schema)
> ...
> {code}
> Now, with AIRFLOW__LDAP__IGNORE_MALFORMED_SCHEMA=True, things work as expected.
> I will open a PR for this, but before I do, I would welcome any feedback on if this should be done, or if it should be done differently.
> Thank you in advance for any feedback.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)