You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Sailaja Polavarapu (JIRA)" <ji...@apache.org> on 2017/05/02 21:20:04 UTC
[jira] [Commented] (RANGER-1554) Ranger AD search filter is not get
honored when logging into admin UI
[ https://issues.apache.org/jira/browse/RANGER-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15993778#comment-15993778 ]
Sailaja Polavarapu commented on RANGER-1554:
--------------------------------------------
The spring framework version that is used in ranger has a bug where the search filter is hard coded to "(&(objectClass=user)(userPrincipalName=
{0}
))" and has no api to overwrite this value. This will let all the users in the root domain (derived from the domain name in the configuration) to authenticate as long as the password is valid.
Currenly Ranger uses 3.1.3 release version for springframework security. Looks like this is fixed in 3.2.7 onwards where there is an API to modify the search filter.
> Ranger AD search filter is not get honored when logging into admin UI
> ---------------------------------------------------------------------
>
> Key: RANGER-1554
> URL: https://issues.apache.org/jira/browse/RANGER-1554
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 0.7.0
> Reporter: Sailaja Polavarapu
> Assignee: Sailaja Polavarapu
> Fix For: 1.0.0
>
>
> In order to allow only users of a particular group to login to Ranger Admin UI, we set the search filter as below in ranger-admin-site.xml :
> —
> <property>
> <name>ranger.ldap.user.searchfilter</name>
> <value>(&(sAMAccountName=
> {0})(memberOf=CN=grp1,OU=groups1,DC=apache,DC=org))</value>
> </property>
> —
> But still the users from other groups like grp2 are able to login to ranger admin UI.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)