[jira] [Commented] (HADOOP-18388) Allow dynamic groupSearchFilter in LdapGroupsMapping

Tue, 06 Sep 2022 15:37:09 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17601037#comment-17601037
 ] 

ASF GitHub Bot commented on HADOOP-18388:
-----------------------------------------

lmccay commented on code in PR #4798:
URL: https://github.com/apache/hadoop/pull/4798#discussion_r964231336


##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java:
##########
@@ -437,8 +443,14 @@ Set<String> lookupGroup(SearchResult result, DirContext c,
     Set<String> groupDNs = new HashSet<>();
 
     NamingEnumeration<SearchResult> groupResults;
-    // perform the second LDAP query
-    if (isPosix) {
+
+    String[] resolved = resolveCustomGroupFilterArgs(result);
+    // If custom group filter argument is supplied, use that!!!
+    if (resolved != null) {

Review Comment:
   I see. I was misinterpreting what isPOSIX was representing. This is resolved.





> Allow dynamic groupSearchFilter in LdapGroupsMapping
> ----------------------------------------------------
>
>                 Key: HADOOP-18388
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18388
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Ayush Saxena
>            Assignee: Ayush Saxena
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: dynamic-filter-idea.patch
>
>
> As of now the lookupGroup() method doesn't allow to have placeholders in 
> groupSearchFilter, so that can not be dynamically adjusted.
> If we have placeholders for groupSearchFilter like: 
> (&(|(XYZ=\{0})(ABC=\{1}))(objectClass=posixGroup))
> This fails here:
>  
> {code:java}
> groupResults =
>     c.search(groupbaseDN,
>         "(&" + groupSearchFilter + "(" + groupMemberAttr + "={0}))",
>         new Object[]{userDn},
>         SEARCH_CONTROLS); {code}
> With 
>  
>  
> {noformat}
> javax.naming.directory.InvalidSearchFilterException: number exceeds argument 
> list: 1; remaining name {noformat}
>  
> >>Dropped off or changed the details above which I thought won't be safe to 
> >>disclose.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to