Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-6110

LDAP authentication improvement using multiple LDAP searches instead of only ldap_sasl_bind_s

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • Impala 2.9.0
    • Impala 4.0.0
    • Frontend
    • None
    • ghx-label-6

    Description

      Currently Impala use the "ldap_sasl_bind_s" to authenticate LDAP users and it doesn't accept any filter 'LDIF' to restrict the user authentication (as example users that belong to a specific defined LDAP group):

        // Map the password into a credentials structure
        struct berval cred;
        cred.bv_val = const_cast<char*>(pass);
        cred.bv_len = passlen;
      
        VLOG_QUERY << "Trying simple LDAP bind for: " << user_str;
      
        rc = ldap_sasl_bind_s(ld, user_str.c_str(), LDAP_SASL_SIMPLE, &cred,
            NULL, NULL, NULL);
        // Free ld
        ldap_unbind_ext(ld, NULL, NULL);
        if (rc != LDAP_SUCCESS) {
          LOG(WARNING) << "LDAP authentication failure for " << user_str
                       << " : " << ldap_err2string(rc);
          return SASL_FAIL;
        }
      
        VLOG_QUERY << "LDAP bind successful";
      
        return SASL_OK;
      }
      

      The "ldap_sasl_bind_s" do not accept filters[2] and you cannot use the LDIF approach to specify an additional rule after the CN.

      It works differently in the Search "ldap_search_s" where the filters are supported[3].

      ==USE CASE==
      'ImpalaUsers' group has been created in our LDAP and corresponding users have been added, so:

      ldapsearch -x -h   our-ldap-host     -b    "uid=someuser,ou=people,dc=eget,dc=fi"  "(&(memberOf=cn=ImpalaUsers,ou=DataPlatform,dc=eget,dc=fi))"     returns a record for this user, i.e.
      
      dn: uid=someuser,ou=people,dc=eget,dc=fi
      memberOf: cn=ImpalaUsers,ou=DataPlatform,dc=eget,dc=fi
      .....
      title: ....
      telephoneNumber: ....
      ......
      

      However, the intended authentication in Impala doesn't work as it doesn't search, it looks that bind directly and this.

      Thank you in advance for evaluate this implementation.
      Adriano

      [1] https://github.com/cloudera/Impala/blob/cdh5-2.9.0_5.12.0/be/src/rpc/authentication.cc#L179-L264
      [2] https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/apis/ldap_sasl_bind_s.htm
      [3] https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/apis/ldap_search_s.htm

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            twmarshall Thomas Tauber-Marshall
            adrenas Adriano
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment