[jira] [Commented] (HADOOP-16525) LDAP group mapping should include primary posix group

Sat, 31 Aug 2019 00:55:24 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16920058#comment-16920058
 ] 

Mingliang Liu commented on HADOOP-16525:
----------------------------------------

Sorry I really don't have too much knowledge about LDAP internal stuff. I think 
[~jojochuang] will have more context than I do. I follow the patch here and ask 
questions for discussion:

* I did not know the group search with filter 
{{(&(objectClass=group)(member=<DN>))}} could only return the "secondary" 
groups. If so, this patch looks good to me and I think it solves that problem. 
As the primary group should anyway be returned, adding it into the search 
filter should be safe. So I guess enabling this by default makes sense.
* {quote}
Namely, with FreeIPA, the 'member' attributes of the groups refer to the user 
by DN rather than by UID.
{quote}
In that case, the two search filter with both posixGroups enabled and disabled 
will be effectively the same? I also did not know the LDAP protocol about this, 
if this is defined.
* I don't remember the first group should be primary in the returned list. If 
it's the return value of method {{LdapGroupsMapping::lookupGroup()}}, I guess 
the code is already broken since after searching and before returning, we are 
converting groups to a set to ensure uniqueness and convert back to list. 
Perhaps we can simply add that the primary group to the front of return list, 
instead of patching the search filter?

Thanks!

> LDAP group mapping should include primary posix group
> -----------------------------------------------------
>
>                 Key: HADOOP-16525
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16525
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>            Priority: Major
>         Attachments: hadoop-16525.txt
>
>
> When configuring LdapGroupsMapping against FreeIPA, the current 
> implementation searches for groups which have the user listed as a member. 
> This catches all "secondary" groups but misses the user's primary group 
> (typically the same name as their username). We should include a search for a 
> group matching the user's primary gidNumber in the group search.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to