[ https://issues.apache.org/jira/browse/GRIFFIN-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16658594#comment-16658594 ]
ASF GitHub Bot commented on GRIFFIN-207: ---------------------------------------- Github user toyboxman commented on a diff in the pull request: https://github.com/apache/incubator-griffin/pull/441#discussion_r226904191 --- Diff: service/src/main/java/org/apache/griffin/core/login/ldap/SelfSignedSocketFactory.java --- @@ -0,0 +1,68 @@ +package org.apache.griffin.core.login.ldap; --- End diff -- you should add apache license claim here > LDAP auth is not supporting group filters and non-CN login names > ---------------------------------------------------------------- > > Key: GRIFFIN-207 > URL: https://issues.apache.org/jira/browse/GRIFFIN-207 > Project: Griffin (Incubating) > Issue Type: Bug > Reporter: Nikolay Sokolov > Assignee: Nikolay Sokolov > Priority: Major > > Currently LDAP auth performs bind to principal with name > "${username}${ldap.email}", and searches through user objects > ldap.searchPattern. Result of search then only used to retrieve fullName of > the user. > There are two problems here: > * login username can not be different than CN, as it is used to perform LDAP > bind > * it is not possible to restrict access to specific groups > Typical approach used in other software products is to use separate bind > account, which would search through LDAP objects using search pattern, and > then use found object's DN to perform password check. -- This message was sent by Atlassian JIRA (v7.6.3#76005)