[AMBARI-16875] LDAP sync cannot handle if the member attribute value is not DN or id - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4.0
Fix Version/s: 2.4.0
Component/s: ambari-server
Labels:
None

Description

in case of member attribute value looks like this:
"<SID=...>;<GUID=...>;cn=myCn,dc=apache,dc=org", then sync stop working.

adding 2 new properties (to find the dn or the id of the member):
"authentication.ldap.sync.userMemberReplacePattern"
"authentication.ldap.sync.groupMemberReplacePattern"
These values are empty by default.

Example usage:
If we got this as ldapsearch response for group member
"member="<SID=...>;<GUID=...>;cn=myCn,dc=apache,dc=org",
We need to define a regex which contains member group to specify the location of the DN or id e.g.(?<member>.*)
authentication.ldap.sync.userMemberReplacePattern=(?<sid>.*);(?<guid>.*);(?<member>.*)

Then the result will be: "cn=myCn,dc=apache,dc=org"

also added 2 another new properties for alternative solution:
"authentication.ldap.sync.userMemberFilter"
"authentication.ldap.sync.groupMemberFilter"
These values are also empty by default.

Example usage:
memberUid=mymemberId
then you can specify the filter for user sync:
"authentication.ldap.sync.userMemberFilter=(&(objectclass=posixaccount)(uid={member}))"

That filter will be used (with the baseDN) for gather user with the memberUid:
(&(objectclass=posixaccount)(uid=mymemberid))

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-16875.patch
27/May/16 20:13
18 kB
Oliver Szabo

Activity

People

Assignee:: Oliver Szabo

Reporter:: Oliver Szabo

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25/May/16 14:10

Updated:: 30/May/16 11:27

Resolved:: 30/May/16 09:24