-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40476/
-----------------------------------------------------------
Review request for Ambari, Dmytro Sen, Robert Levas, Robert Nettleton, and
Sumit Mohanty.
Bugs: AMBARI-13943
https://issues.apache.org/jira/browse/AMBARI-13943
Repository: ambari
Description
-------
Ldap users can't login in case of multiple entries exist for a uid.
(uid=username in Ambari) -> SpringLdapTeample throws an exception on multiple
results.
UID is not unique in LDAP, and e.g. for FreeIPA, by default if you create a
user, it creates 2 entries with the same uid. (with different object classes)
On login ambari uses "(uid={username})" filter. Instead of that I changed it to
"(&(uid={username})(objectclass={userobjectclass}))". It is a relatively safe
change, because if the user object class set up wrongly, then the group
membership pulling wont work anyway.
This change not covers that behavior, when there are multiple domain/forest
users in LDAP (e.g in AD). It will be in an another review request in the
future.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
f28ee50
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java
9043439
Diff: https://reviews.apache.org/r/40476/diff/
Testing
-------
Unit tests done.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:44 h
[INFO] Finished at: 2015-11-19T06:37:18+00:00
[INFO] Final Memory: 48M/734M
[INFO] ------------------------------------------------------------------------
Thanks,
Oliver Szabo
