Currently Impala only supports simple direct bind mechanism to authenticate a user. While other components allow the administrators to specify a user search base dn and an administrator bind dn and bind password to search for the user under the user search base directory.
This method is especially useful for larger organizations where the directory structure is wide. Given the following two FQDNs:
In case the administrator would like to allow both Engineering and Accounting users to authenticate neither the ldap_baseDN nor the ldap_bind_pattern configuration could give the flexibility to authenticate correctly.
- ldap_baseDN takes the configured baseDN and prefixes it with uid=<userid>
- ldap_bind_pattern gives the option to specify a pattern with a parameter such as user=#UID,OU=foo,CN=bar
The convenient solution would be to specify a base dn and execute a search under it instead of prefixing it with uid, because this depends on the LDAP directory structure.
LDAP search has already been implemented for groups, this should be implemented for users as well.
The option to configure the group filters with LDAP filters should be added to the group check as well.