You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Tamas Mate (Jira)" <ji...@apache.org> on 2021/03/07 10:09:00 UTC

[jira] [Resolved] (IMPALA-10161) User LDAP search bind support

     [ https://issues.apache.org/jira/browse/IMPALA-10161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tamas Mate resolved IMPALA-10161.
---------------------------------
    Fix Version/s: Impala 4.0
       Resolution: Fixed

> User LDAP search bind support
> -----------------------------
>
>                 Key: IMPALA-10161
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10161
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Backend, Security
>    Affects Versions: Impala 3.4.0
>            Reporter: Tamas Mate
>            Assignee: Tamas Mate
>            Priority: Major
>             Fix For: Impala 4.0
>
>
> Currently Impala only supports simple direct bind mechanism to authenticate a user. While other components allow the administrators to specify a user search base dn and an administrator bind dn and bind password to search for the user under the user search base directory.
> This method is especially useful for larger organizations where the directory structure is wide. Given the following two FQDNs:
> {code:java}
> uid=alice,ou=Engineering,ou=People,dc=mycompany,dc=com
> uid=bob,ou=Accounting,ou=People,dc=mycompany,dc=com
> {code}
> In case the administrator would like to allow both Engineering and Accounting users to authenticate neither the ldap_baseDN nor the ldap_bind_pattern configuration could give the flexibility to authenticate correctly.
>  * ldap_baseDN takes the configured baseDN and prefixes it with _uid=<userid>_
>  * ldap_bind_pattern gives the option to specify a pattern with a parameter such as _user=#UID,OU=foo,CN=bar_
> The convenient solution would be to specify a base dn and execute a search under it instead of prefixing it with uid, because this depends on the LDAP directory structure.
> LDAP search has already been implemented for groups, this should be implemented for users as well.
> The option to configure the group filters with LDAP filters should be added to the group check as well.
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org