You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Thomas Tauber-Marshall (Jira)" <ji...@apache.org> on 2020/04/01 16:45:00 UTC
[jira] [Resolved] (IMPALA-6110) LDAP authentication improvement
using multiple LDAP searches instead of only ldap_sasl_bind_s
[ https://issues.apache.org/jira/browse/IMPALA-6110?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thomas Tauber-Marshall resolved IMPALA-6110.
--------------------------------------------
Fix Version/s: Impala 4.0
Resolution: Fixed
I think the use case described here can be satisfied by the work done for IMPALA-2563
> LDAP authentication improvement using multiple LDAP searches instead of only ldap_sasl_bind_s
> ---------------------------------------------------------------------------------------------
>
> Key: IMPALA-6110
> URL: https://issues.apache.org/jira/browse/IMPALA-6110
> Project: IMPALA
> Issue Type: Improvement
> Components: Frontend
> Affects Versions: Impala 2.9.0
> Reporter: Adriano
> Assignee: Thomas Tauber-Marshall
> Priority: Major
> Fix For: Impala 4.0
>
>
> Currently Impala use the "ldap_sasl_bind_s" to authenticate LDAP users and it doesn't accept any filter 'LDIF' to restrict the user authentication (as example users that belong to a specific defined LDAP group):
> {code:java}
> // Map the password into a credentials structure
> struct berval cred;
> cred.bv_val = const_cast<char*>(pass);
> cred.bv_len = passlen;
> VLOG_QUERY << "Trying simple LDAP bind for: " << user_str;
> rc = ldap_sasl_bind_s(ld, user_str.c_str(), LDAP_SASL_SIMPLE, &cred,
> NULL, NULL, NULL);
> // Free ld
> ldap_unbind_ext(ld, NULL, NULL);
> if (rc != LDAP_SUCCESS) {
> LOG(WARNING) << "LDAP authentication failure for " << user_str
> << " : " << ldap_err2string(rc);
> return SASL_FAIL;
> }
> VLOG_QUERY << "LDAP bind successful";
> return SASL_OK;
> }
> {code}
> The "ldap_sasl_bind_s" do not accept filters[2] and you cannot use the LDIF approach to specify an additional rule after the CN.
> It works differently in the Search "ldap_search_s" where the filters are supported[3].
> ==USE CASE==
> 'ImpalaUsers' group has been created in our LDAP and corresponding users have been added, so:
> {code:java}
> ldapsearch -x -h our-ldap-host -b "uid=someuser,ou=people,dc=eget,dc=fi" "(&(memberOf=cn=ImpalaUsers,ou=DataPlatform,dc=eget,dc=fi))" returns a record for this user, i.e.
> dn: uid=someuser,ou=people,dc=eget,dc=fi
> memberOf: cn=ImpalaUsers,ou=DataPlatform,dc=eget,dc=fi
> .....
> title: ....
> telephoneNumber: ....
> ......
> {code}
> However, the intended authentication in Impala doesn't work as it doesn't search, it looks that bind directly and this.
> Thank you in advance for evaluate this implementation.
> Adriano
> --
> [1] https://github.com/cloudera/Impala/blob/cdh5-2.9.0_5.12.0/be/src/rpc/authentication.cc#L179-L264
> [2] https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/apis/ldap_sasl_bind_s.htm
> [3] https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/apis/ldap_search_s.htm
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org