[AMBARI-19632] Ldap sync fails when there are special characters in distinguished names - ASF JIRA

Attach files

Attach Screenshot

Voters

Stop watching

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4.0
Fix Version/s: 2.5.0, 2.4.3
Component/s: ambari-server
Labels:
- ldap

Description

Ldap sync fails when there are special characters in distinguished names.

For example if there was a user with the distinguished name of OU=test/test,OU=users,DC=EXAMPLE,DC=COM and that user was a member of a synced group, then the lookup of the user using the membership attribute in the group would fail due to the special character.

The error would look something like

REASON: Caught exception running LDAP sync. Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0
]; remaining name 'OU=test/test,OU=users,DC=EXAMPLE,DC=COM'

Solution
Update the library versionf for Spring LDAP

org.springframework.security/spring-security-ldap to 4.0.4.RELEASE
org.springframework.ldap/spring-ldap-core to 2.0.4.RELEASE

Then use LdapUtils.newLdapName to convert a String representing a DN into a javax.naming.ldap.LdapName and use that object in the search facility executed in org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator#getFilteredLdapUsers(java.lang.String, org.springframework.ldap.filter.Filter).