You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by "Peng Xing (JIRA)" <ji...@apache.org> on 2018/03/02 03:42:00 UTC
[jira] [Commented] (KYLIN-3197) When ldap is opened, I use an
ignored case user to login, the page does not respond.
[ https://issues.apache.org/jira/browse/KYLIN-3197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16383115#comment-16383115 ]
Peng Xing commented on KYLIN-3197:
----------------------------------
Hi [~Aron.tao], I was so busy before, so I began to reanalyze this issue yesterday.
Currently, I find out the deep reason why we cannot fetch the group by case ignore username, this is caused by the default configuration of OpenLDAP, that is file 'nis.schema', you can see the detail configuration of attribute 'memberUid' as follows.
{code:java}
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
{code}
The 'caseExactIA5Match' and 'caseExactIA5SubstringsMatch' show that the attribute 'memberUid' must be case sensitive. when I change them to 'caseIgnoreIA5Match' and 'caseIgnoreIA5SubstringsMatch', then rebuild the directory 'slapd.d', then restart the service slapd, it will be ok, we can use username 'WKH' to fetch the group 'wkhGroup', although the fact username should be 'wkh'.
But we should modify the default configuration of OpenLDAP, which is not good and suitable way for us, we should find a way for default OpenLDAP. So from aspect of default OpenLDAP and spring security, this problem cannot be solved, then we should modify the kylin code.
So I still maintain my previous method, what is about your suggestion? Thanks!
> When ldap is opened, I use an ignored case user to login, the page does not respond.
> ------------------------------------------------------------------------------------
>
> Key: KYLIN-3197
> URL: https://issues.apache.org/jira/browse/KYLIN-3197
> Project: Kylin
> Issue Type: Bug
> Components: Security
> Affects Versions: v2.3.0
> Reporter: Peng Xing
> Assignee: Peng Xing
> Priority: Major
> Labels: patch
> Fix For: Future
>
> Attachments: 0001-KYLIN-3197-When-ldap-is-opened-I-use-an-ignored-case.patch, image-2018-01-25-17-22-39-970.png, image-2018-02-06-14-09-32-591.png, image-2018-02-08-15-32-25-030.png, image-2018-02-08-15-33-07-277.png, image-2018-02-08-15-33-54-480.png, image-2018-02-08-15-35-03-902.png, image-2018-02-12-12-15-00-574.png, image-2018-02-12-12-15-28-826.png, image-2018-02-12-12-15-39-132.png, image-2018-02-12-12-25-15-793.png
>
>
> When ldap is opened, I config the kylin.properties, and give wkhGroup the admin permission.
> {code:java}
> ## Admin roles in LDAP, for ldap and saml
> kylin.security.acl.admin-role=wkhGroup
> {code}
> then I create a new user named 'wkh' whose group is 'wkhGroup', then I use '{color:#ff0000}wkh{color}' to login in, which is normal.
> But when I use '{color:#ff0000}WKH{color}' to login in, the page does not respond.
> I analyze the backgroud code, and find the function of 'org.apache.kylin.rest.security.LDAPAuthoritiesPopulator.getGroupMembershipRoles(String, String)' has problem.
> When userDn is "uid={color:#ff0000}wkh{color},ou=People,ou=defaultCluster,dc=zdh,dc=com" and username is "{color:#ff0000}WKH{color}", then authorities will be empty Set by the follow code:
> {code:java}
> Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username);
> {code}
> So I have added 'getAdditionalRoles' function to get the authorities again.
> I have test the patch, please review, thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)