Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
0.7-incubating, 0.7.1-incubating
-
None
-
Active Directory with Global Catalog
HDP 2.5.3.x
Description
After upgrading to HDP 2.5.3.x from HDP 2.4.x we noticed kerberos authentication for the UI no longer works. So we switched to utilize Active Directory and noticed that with ActiveDirectory it was attempting use UPN which is risky in a large Active Directory environment instead samAccountName should be used like in https://issues.apache.org/jira/browse/RANGER-457. I worked on a previous JIRA with Zeppelin https://issues.apache.org/jira/browse/ZEPPELIN-1472. So this has been addressed in Knox, Ranger, and Zeppelin. I propose the attached fix to address this issue as the Ranger folks addressed this issue. Without this Atlas will not function in a Large multi-forest Active Directory environment.
Details behind this change:
In our environment we attempted to use the ActiveDirectory and LDAP configuration but unfortunately those implementations do not support ADLDAP Global Catalog correctly. Also searching on "userPrincipalName" is risky in an AD environment since the explicit UPN vs Implicit UPN can be different. And the LDAP userPrincipalName attribute is the explicit UPN which can be defined by the directory administrator to any value and it can be duplicated.. SamAccountName is unique per domain and Microsoft states best practice is to not allow duplicate samAccountName's in the forest. I have attached a working modified AtlasADAuthenticationProvider which works against samAccountName and global catalog for auth as it is currently working against HDP 2.5.3.x and Atlas 0.7.x.
Info about IUPN/EUPN
http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores
https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/
Attachments
Attachments
Issue Links
- links to
