[jira] [Updated] (AMBARI-16875) LDAP sync cannot handle if the member attribute value is not DN or id

JIRA Fri, 27 May 2016 05:47:36 -0700

     [ 
https://issues.apache.org/jira/browse/AMBARI-16875?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Olivér Szabó updated AMBARI-16875:
----------------------------------
    Description: 
in case of member attribute value looks like this: 
"<SID=...>;<GUID=...>;cn=myCn,dc=apache,dc=org", then sync stop working.

adding 2 new properties (to find the dn or the id of the member):
{{"authentication.ldap.sync.userMemberReplacePattern"}}
{{"authentication.ldap.sync.groupMemberReplacePattern"}}
These values are empty by default.

Example usage:
If we got this as ldapsearch response for group member
"member="<SID=...>;<GUID=...>;cn=myCn,dc=apache,dc=org",
We need to define a regex which contains member group to specify the location 
of the DN or id e.g.{{(?<member>.\*)}}
authentication.ldap.sync.userMemberReplacePattern={{(?<sid>.\*);(?<guid>.\*);(?<member>.\*)}}

Then the result will be: "cn=myCn,dc=apache,dc=org"

also added 2 another new properties for alternative solution:
{{"authentication.ldap.sync.userMemberFilter"}}
{{"authentication.ldap.sync.groupMemberFilter"}}
These values are also empty by default.

Example usage:
memberUid=mymemberId
then you can specify the filter for user sync:
{{ 
authentication.ldap.sync.userMemberFilter=(&(objectclass=posixaccount)(uid=\{member\}))
 }}

That filter will be used (with the baseDN) for gather user with the memberUid:
{{(&(objectclass=posixaccount)(uid=mymemberid))}}


  was:
in case of member attribute value looks like this: 
"<SID=...>;<GUID=...>;cn=myCn,dc=apache,dc=org", then sync stop working.

adding 2 new properties (to find the dn or the id of the member):
{{"authentication.ldap.sync.userMemberReplacePattern"}}
{{"authentication.ldap.sync.groupMemberReplacePattern"}}
These values are empty by default.

Example usage:
If we got this as ldapsearch response for group member
"member="<SID=...>;<GUID=...>;cn=myCn,dc=apache,dc=org",
We need to define a regex which contains member group to specify the location 
of the DN or id e.g.{{(?<member>.\*)}}
authentication.ldap.sync.userMemberReplacePattern={{(?<sid>.\*);(?<guid>.\*);(?<member>.\*)}}

Then the result will be: "cn=myCn,dc=apache,dc=org"

also added 2 another new properties for alternative solution:
{{"authentication.ldap.sync.userMemberFilter"}}
{{"authentication.ldap.sync.groupMemberFilter"}}
These values are also empty by default.

Example usage:
memberUid=mymemberId
then you can specify the filter for user sync:
{{ 
authentication.ldap.sync.userMemberFilter=(&(objectclass=posixaccount)(uid={member}))
 }}

That filter will be used (with the baseDN) for gather user with the memberUid:
{{(&(objectclass=posixaccount)(uid=mymemberid))}}



> LDAP sync cannot handle if the member attribute value is not DN or id
> ---------------------------------------------------------------------
>
>                 Key: AMBARI-16875
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16875
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Olivér Szabó
>            Assignee: Olivér Szabó
>            Priority: Critical
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-16875.patch
>
>
> in case of member attribute value looks like this: 
> "<SID=...>;<GUID=...>;cn=myCn,dc=apache,dc=org", then sync stop working.
> adding 2 new properties (to find the dn or the id of the member):
> {{"authentication.ldap.sync.userMemberReplacePattern"}}
> {{"authentication.ldap.sync.groupMemberReplacePattern"}}
> These values are empty by default.
> Example usage:
> If we got this as ldapsearch response for group member
> "member="<SID=...>;<GUID=...>;cn=myCn,dc=apache,dc=org",
> We need to define a regex which contains member group to specify the location 
> of the DN or id e.g.{{(?<member>.\*)}}
> authentication.ldap.sync.userMemberReplacePattern={{(?<sid>.\*);(?<guid>.\*);(?<member>.\*)}}
> Then the result will be: "cn=myCn,dc=apache,dc=org"
> also added 2 another new properties for alternative solution:
> {{"authentication.ldap.sync.userMemberFilter"}}
> {{"authentication.ldap.sync.groupMemberFilter"}}
> These values are also empty by default.
> Example usage:
> memberUid=mymemberId
> then you can specify the filter for user sync:
> {{ 
> authentication.ldap.sync.userMemberFilter=(&(objectclass=posixaccount)(uid=\{member\}))
>  }}
> That filter will be used (with the baseDN) for gather user with the memberUid:
> {{(&(objectclass=posixaccount)(uid=mymemberid))}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (AMBARI-16875) LDAP sync cannot handle if the member attribute value is not DN or id

Reply via email to