You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Oliver Szabo <os...@hortonworks.com> on 2015/11/19 11:40:14 UTC
Review Request 40476: Ambari LDAP integration cannot handle LDAP
directories with multiple entries for the same user
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40476/
-----------------------------------------------------------
Review request for Ambari, Dmytro Sen, Robert Levas, Robert Nettleton, and Sumit Mohanty.
Bugs: AMBARI-13943
https://issues.apache.org/jira/browse/AMBARI-13943
Repository: ambari
Description
-------
Ldap users can't login in case of multiple entries exist for a uid. (uid=username in Ambari) -> SpringLdapTeample throws an exception on multiple results.
UID is not unique in LDAP, and e.g. for FreeIPA, by default if you create a user, it creates 2 entries with the same uid. (with different object classes)
On login ambari uses "(uid={username})" filter. Instead of that I changed it to "(&(uid={username})(objectclass={userobjectclass}))". It is a relatively safe change, because if the user object class set up wrongly, then the group membership pulling wont work anyway.
This change not covers that behavior, when there are multiple domain/forest users in LDAP (e.g in AD). It will be in an another review request in the future.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java f28ee50
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java 9043439
Diff: https://reviews.apache.org/r/40476/diff/
Testing
-------
Unit tests done.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:44 h
[INFO] Finished at: 2015-11-19T06:37:18+00:00
[INFO] Final Memory: 48M/734M
[INFO] ------------------------------------------------------------------------
Thanks,
Oliver Szabo
Re: Review Request 40476: Ambari LDAP integration cannot handle LDAP
directories with multiple entries for the same user
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40476/#review108225
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Levas
On Nov. 19, 2015, 5:40 a.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40476/
> -----------------------------------------------------------
>
> (Updated Nov. 19, 2015, 5:40 a.m.)
>
>
> Review request for Ambari, Dmytro Sen, Robert Levas, Robert Nettleton, and Sumit Mohanty.
>
>
> Bugs: AMBARI-13943
> https://issues.apache.org/jira/browse/AMBARI-13943
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Ldap users can't login in case of multiple entries exist for a uid. (uid=username in Ambari) -> SpringLdapTeample throws an exception on multiple results.
> UID is not unique in LDAP, and e.g. for FreeIPA, by default if you create a user, it creates 2 entries with the same uid. (with different object classes)
>
> On login ambari uses "(uid={username})" filter. Instead of that I changed it to "(&(uid={username})(objectclass={userobjectclass}))". It is a relatively safe change, because if the user object class set up wrongly, then the group membership pulling wont work anyway.
>
> This change not covers that behavior, when there are multiple domain/forest users in LDAP (e.g in AD). It will be in an another review request in the future.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java f28ee50
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java 9043439
>
> Diff: https://reviews.apache.org/r/40476/diff/
>
>
> Testing
> -------
>
> Unit tests done.
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:44 h
> [INFO] Finished at: 2015-11-19T06:37:18+00:00
> [INFO] Final Memory: 48M/734M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Oliver Szabo
>
>
Re: Review Request 40476: Ambari LDAP integration cannot handle LDAP
directories with multiple entries for the same user
Posted by Robert Nettleton <rn...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40476/#review108344
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Nettleton
On Nov. 19, 2015, 10:40 a.m., Oliver Szabo wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40476/
> -----------------------------------------------------------
>
> (Updated Nov. 19, 2015, 10:40 a.m.)
>
>
> Review request for Ambari, Dmytro Sen, Robert Levas, Robert Nettleton, and Sumit Mohanty.
>
>
> Bugs: AMBARI-13943
> https://issues.apache.org/jira/browse/AMBARI-13943
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Ldap users can't login in case of multiple entries exist for a uid. (uid=username in Ambari) -> SpringLdapTeample throws an exception on multiple results.
> UID is not unique in LDAP, and e.g. for FreeIPA, by default if you create a user, it creates 2 entries with the same uid. (with different object classes)
>
> On login ambari uses "(uid={username})" filter. Instead of that I changed it to "(&(uid={username})(objectclass={userobjectclass}))". It is a relatively safe change, because if the user object class set up wrongly, then the group membership pulling wont work anyway.
>
> This change not covers that behavior, when there are multiple domain/forest users in LDAP (e.g in AD). It will be in an another review request in the future.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java f28ee50
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java 9043439
>
> Diff: https://reviews.apache.org/r/40476/diff/
>
>
> Testing
> -------
>
> Unit tests done.
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:44 h
> [INFO] Finished at: 2015-11-19T06:37:18+00:00
> [INFO] Final Memory: 48M/734M
> [INFO] ------------------------------------------------------------------------
>
>
> Thanks,
>
> Oliver Szabo
>
>