Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
Impala 2.9.0
-
None
-
ghx-label-6
Description
Currently Impala use the "ldap_sasl_bind_s" to authenticate LDAP users and it doesn't accept any filter 'LDIF' to restrict the user authentication (as example users that belong to a specific defined LDAP group):
// Map the password into a credentials structure struct berval cred; cred.bv_val = const_cast<char*>(pass); cred.bv_len = passlen; VLOG_QUERY << "Trying simple LDAP bind for: " << user_str; rc = ldap_sasl_bind_s(ld, user_str.c_str(), LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL); // Free ld ldap_unbind_ext(ld, NULL, NULL); if (rc != LDAP_SUCCESS) { LOG(WARNING) << "LDAP authentication failure for " << user_str << " : " << ldap_err2string(rc); return SASL_FAIL; } VLOG_QUERY << "LDAP bind successful"; return SASL_OK; }
The "ldap_sasl_bind_s" do not accept filters[2] and you cannot use the LDIF approach to specify an additional rule after the CN.
It works differently in the Search "ldap_search_s" where the filters are supported[3].
==USE CASE==
'ImpalaUsers' group has been created in our LDAP and corresponding users have been added, so:
ldapsearch -x -h our-ldap-host -b "uid=someuser,ou=people,dc=eget,dc=fi" "(&(memberOf=cn=ImpalaUsers,ou=DataPlatform,dc=eget,dc=fi))" returns a record for this user, i.e. dn: uid=someuser,ou=people,dc=eget,dc=fi memberOf: cn=ImpalaUsers,ou=DataPlatform,dc=eget,dc=fi ..... title: .... telephoneNumber: .... ......
However, the intended authentication in Impala doesn't work as it doesn't search, it looks that bind directly and this.
Thank you in advance for evaluate this implementation.
Adriano
–
[1] https://github.com/cloudera/Impala/blob/cdh5-2.9.0_5.12.0/be/src/rpc/authentication.cc#L179-L264
[2] https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/apis/ldap_sasl_bind_s.htm
[3] https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/apis/ldap_search_s.htm