[ https://issues.apache.org/jira/browse/AMBARI-15554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastian Toader updated AMBARI-15554: -------------------------------------- Attachment: AMBARI-15554.v1.patch > Ambari LDAP integration cannot handle LDAP directories with multiple entries > for the same user > ---------------------------------------------------------------------------------------------- > > Key: AMBARI-15554 > URL: https://issues.apache.org/jira/browse/AMBARI-15554 > Project: Ambari > Issue Type: New Feature > Components: ambari-server, ambari-web > Affects Versions: 2.1.1 > Reporter: Sebastian Toader > Assignee: Sebastian Toader > Fix For: 2.4.0 > > Attachments: AMBARI-15554.v1.patch > > > *Problem:* > In case LDAP set up with multiple Domains which are joined into a Forrest > with trusts between the different Domains users may appear in different > locations in LDAP. > Since users who wants to access Ambari can be in any domain Ambari has to > search the whole forrest, and as the users appearing in multiple domains are > identical Ambari cannot filter out all but one of the user entries. > This leads to the following error message when they try to login to Ambari > with one of the users that has multiple entries: > {code} > ServletHandler:563 - /api/v1/users/USERNAME > org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect > result size: expected 1, actual 2 > at > org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:243) > > at > org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198) > > at > org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807) > > at > org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793) > > at > org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196) > > at > org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116) > > at > org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:90) > > at > org.apache.ambari.server.security.authorization.AmbariLdapBindAuthenticator.authenticate(AmbariLdapBindAuthenticator.java:53) > > at > org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178) > > at > org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61) > > at > org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider.authenticate(AmbariLdapAuthenticationProvider.java:60) > > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) > > at > org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168) > > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) > > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > > at > org.apache.ambari.server.api.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:72) > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > > at > org.apache.ambari.server.api.AmbariPersistFilter.doFilter(AmbariPersistFilter.java:47) > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > > at > org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82) > at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:294) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557) > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) > > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) > > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) > > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) > > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) > at > org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:209) > > at > org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:198) > > at > org.apache.ambari.server.controller.AmbariHandlerList.handle(AmbariHandlerList.java:132) > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) > > at org.eclipse.jetty.server.Server.handle(Server.java:370) > at > org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494) > > at > org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971) > > at > org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033) > > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) > at > org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) > > at > org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) > > at > org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) > > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) > > at > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) > > at java.lang.Thread.run(Thread.java:745) > {code} > *Solution:* > If the LDAP search upon login to Ambari leads to multiple match user match > due to the user appears in multiple domains show an error message to user > prompting for providing domain as well to log-in. (e.g. _Login Failed: Please > append your domain to your username and try again. Example: username@domain_) > When user provides domain information at login as well Ambari looks up the > user in LDAP using different filter which is configurable. If this > configuration is not set Ambari defaults to filter by _userPrincipalName_ -- This message was sent by Atlassian JIRA (v6.3.4#6332)