You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Thomas Tauber-Marshall (Jira)" <ji...@apache.org> on 2020/04/01 16:45:00 UTC

[jira] [Resolved] (IMPALA-6110) LDAP authentication improvement using multiple LDAP searches instead of only ldap_sasl_bind_s

     [ https://issues.apache.org/jira/browse/IMPALA-6110?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Tauber-Marshall resolved IMPALA-6110.
--------------------------------------------
    Fix Version/s: Impala 4.0
       Resolution: Fixed

I think the use case described here can be satisfied by the work done for IMPALA-2563

> LDAP authentication improvement using multiple LDAP searches instead of only ldap_sasl_bind_s
> ---------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-6110
>                 URL: https://issues.apache.org/jira/browse/IMPALA-6110
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Frontend
>    Affects Versions: Impala 2.9.0
>            Reporter: Adriano
>            Assignee: Thomas Tauber-Marshall
>            Priority: Major
>             Fix For: Impala 4.0
>
>
> Currently Impala use the "ldap_sasl_bind_s" to authenticate LDAP users  and it doesn't accept any filter 'LDIF' to restrict the user authentication (as example users that belong to a specific defined LDAP group):
> {code:java}
>   // Map the password into a credentials structure
>   struct berval cred;
>   cred.bv_val = const_cast<char*>(pass);
>   cred.bv_len = passlen;
>   VLOG_QUERY << "Trying simple LDAP bind for: " << user_str;
>   rc = ldap_sasl_bind_s(ld, user_str.c_str(), LDAP_SASL_SIMPLE, &cred,
>       NULL, NULL, NULL);
>   // Free ld
>   ldap_unbind_ext(ld, NULL, NULL);
>   if (rc != LDAP_SUCCESS) {
>     LOG(WARNING) << "LDAP authentication failure for " << user_str
>                  << " : " << ldap_err2string(rc);
>     return SASL_FAIL;
>   }
>   VLOG_QUERY << "LDAP bind successful";
>   return SASL_OK;
> }
> {code}
> The "ldap_sasl_bind_s" do not accept filters[2] and you cannot use the LDIF approach to specify an additional rule after the CN.
> It works differently in the Search "ldap_search_s" where the filters are supported[3].
> ==USE CASE==
> 'ImpalaUsers' group has been created in our LDAP and corresponding users have been added, so:
> {code:java}
> ldapsearch -x -h   our-ldap-host     -b    "uid=someuser,ou=people,dc=eget,dc=fi"  "(&(memberOf=cn=ImpalaUsers,ou=DataPlatform,dc=eget,dc=fi))"     returns a record for this user, i.e.
> dn: uid=someuser,ou=people,dc=eget,dc=fi
> memberOf: cn=ImpalaUsers,ou=DataPlatform,dc=eget,dc=fi
> .....
> title: ....
> telephoneNumber: ....
> ......
> {code}
> However, the intended authentication in Impala doesn't work as it doesn't search, it looks that bind directly and this.
> Thank you in advance for evaluate this implementation.
> Adriano
> --
> [1] https://github.com/cloudera/Impala/blob/cdh5-2.9.0_5.12.0/be/src/rpc/authentication.cc#L179-L264
> [2] https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/apis/ldap_sasl_bind_s.htm
> [3] https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/apis/ldap_search_s.htm



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org