> On Feb. 19, 2017, 10:34 p.m., Selvamohan Neethiraj wrote: > > Can you please provide little more details on how the manual testing was > > done. This would be helpful for reviewer .... > > Yan Zhou wrote: > With the fix, the user sync is run ok without the exception after the > removal of the "short user name" from the "or" logic for the group search, > leaving only the full DN as the user name for the group search. Before the > fix, the same search caused the InvalidNameException thrown from the LDAP > server. > > As stated in the Jira, apparently the problem is only with some LDAP > servers. Using the Apache LDAP server in the Ranger automated user sync test, > TestLdapUserGroup, the failure can't be reproduced. > > Sailaja Polavarapu wrote: > Hi Yan Zhou, > Can you please provide some details on the sample schema or ldapsearch > output of a user and a group on your ldap server? And also, can you provide > some details on the ldap server? I have an openldap server with posixUser and > posixGroup accounts and couldn't repro this issue. And also as you mentioned > the unit test cases use Apache Ldap server and those pass as well. > Also, one quick feedback on the changes - > "useShortUserNameInGroupSearch" is set to true only when the groupObjectClass > is set to posixGroup. This may not be right assumption as there may be a > possiblility that the groupObjectClass is set to "top" and the group member > attribute can still be configured with user's short name right? > > Thanks, > Sailaja.
It is an IBM Tivoli Directory Server 6.4. What other LDAP server details do you want to see? As for the check on "posixGroup", I did some investigation on the internet, and it appeared that only this would require a group serach based on short user names. And also the test cases introduced in Ranger-893 only covers the "posixGroup". Probably we need to have a more accurate condition to allow and disallow for group search based on short user names. Any suggestions are welcome. - Yan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56829/#review166044 ----------------------------------------------------------- On Feb. 19, 2017, 10:30 p.m., Yan Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56829/ > ----------------------------------------------------------- > > (Updated Feb. 19, 2017, 10:30 p.m.) > > > Review request for ranger. > > > Repository: ranger > > > Description > ------- > > Some LDAP servers throw exception on group search on posix user names that > are not full DNs. > > > Diffs > ----- > > > ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java > 8cf6816 > > ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java > 070a39b > > Diff: https://reviews.apache.org/r/56829/diff/ > > > Testing > ------- > > Manual > > > Thanks, > > Yan Zhou > >
