GitHub user VipinRathor reopened a pull request:
https://github.com/apache/zeppelin/pull/2414
[ZEPPELIN-2657] Add group search filter option to LdapRealm
### What is this PR for?
Problem:
While performing LDAP authentication, current Shiro module does a group=*
search while trying to get group-to-role mapping for any LDAP user. On a large
LDAP directory, this is a serious problem which might render RolesByGroup
feature not working as expected.
Fix:
Currently while doing LDAP authentication, there is no available option to
limit the group search results to the only groups that user is interested in.
This bug addresses the same and adds group search filter to Shiro configuration
for LdapRealm which will allow user to define a search filter and limit the
group search results.
### What type of PR is it?
Improvement
### What is the Jira issue?
* [ZEPPELIN-2657] https://issues.apache.org/jira/browse/ZEPPELIN-2657
### How should this be tested?
1. Use org.apache.zeppelin.realm.LdapRealm as Shiro realm
2. In the shiro_ini configruation, define a group search filter like this:
ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(member={0}))
or
ldapRealm.groupSearchFilter =
(&(objectclass=groupofnames)(cn=zeppelin-users*))
3. Also define other LdapRealm parameters as necessary like rolesByGroup
etc.
4. When an LDAP user, who is part of the group that matches filter above,
logs in, then the roles are applied. If the LDAP user is not part these defined
groups, then the roles are not applied.
### Questions:
* Does the licenses files need update? N/A
* Is there breaking changes for older versions? N/A
* Does this needs documentation? N/A
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/VipinRathor/zeppelin ZEPPELIN-2657
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/2414.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2414
----
commit ba0412c8bcc57dd8e8efb25419c151c6b699d74d
Author: Vipin Rathor <v.rat...@gmail.com>
Date: 2017-06-15T19:13:21Z
ZEPPELIN-2657 Add group search filter option to LdapRealm
This commit adds a new option to LdapReam to limit group search in LDAP.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
