Return-Path: X-Original-To: apmail-ambari-issues-archive@minotaur.apache.org Delivered-To: apmail-ambari-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 495BF19545 for ; Mon, 28 Mar 2016 17:54:26 +0000 (UTC) Received: (qmail 19841 invoked by uid 500); 28 Mar 2016 17:54:26 -0000 Delivered-To: apmail-ambari-issues-archive@ambari.apache.org Received: (qmail 19774 invoked by uid 500); 28 Mar 2016 17:54:26 -0000 Mailing-List: contact issues-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list issues@ambari.apache.org Received: (qmail 19433 invoked by uid 99); 28 Mar 2016 17:54:26 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Mar 2016 17:54:26 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id C91292C1F6F for ; Mon, 28 Mar 2016 17:54:25 +0000 (UTC) Date: Mon, 28 Mar 2016 17:54:25 +0000 (UTC) From: "Hudson (JIRA)" To: issues@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AMBARI-15554) Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-15554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15214566#comment-15214566 ] Hudson commented on AMBARI-15554: --------------------------------- ABORTED: Integrated in Ambari-trunk-Commit #4550 (See [https://builds.apache.org/job/Ambari-trunk-Commit/4550/]) AMBARI-15554. Ambari LDAP integration cannot handle LDAP directories (stoader: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=71b4c624fb219bb1626c238322bda6c2e5589f72]) * ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java * ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java * ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderForDuplicateUserTest.java * ambari-server/src/main/java/org/apache/ambari/server/security/authorization/DuplicateLdapUserFoundAuthenticationException.java * ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java * ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java * ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java * ambari-web/test/controllers/login_controller_test.js * ambari-server/src/test/resources/users_with_duplicate_uid.ldif * ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProviderTest.java * ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthentication.java * ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapUtils.java * ambari-server/pom.xml * ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java * ambari-server/src/main/java/org/apache/ambari/server/api/UserNameOverrideFilter.java * ambari-web/app/router.js * ambari-server/src/test/java/org/apache/ambari/server/security/AmbariLdapUtilsTest.java * ambari-server/src/test/resources/users.ldif * ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticator.java * ambari-server/conf/unix/log4j.properties * ambari-server/src/test/java/org/apache/ambari/server/security/authorization/LdapServerPropertiesTest.java * ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationHelperTest.java * ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariLdapBindAuthenticatorTest.java * ambari-server/src/test/java/org/apache/ambari/server/api/UserNameOverrideFilterTest.java * ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java * ambari-web/app/controllers/login_controller.js * ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java * ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml * ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthenticationTest.java > Ambari LDAP integration cannot handle LDAP directories with multiple entries for the same user > ---------------------------------------------------------------------------------------------- > > Key: AMBARI-15554 > URL: https://issues.apache.org/jira/browse/AMBARI-15554 > Project: Ambari > Issue Type: New Feature > Components: ambari-server, ambari-web > Affects Versions: 2.1.1 > Reporter: Sebastian Toader > Assignee: Sebastian Toader > Fix For: 2.4.0 > > Attachments: AMBARI-15554.v2.patch > > > *Problem:* > In case LDAP set up with multiple Domains which are joined into a Forrest with trusts between the different Domains users may appear in different locations in LDAP. > Since users who wants to access Ambari can be in any domain Ambari has to search the whole forrest, and as the users appearing in multiple domains are identical Ambari cannot filter out all but one of the user entries. > This leads to the following error message when they try to login to Ambari with one of the users that has multiple entries: > {code} > ServletHandler:563 - /api/v1/users/USERNAME > org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2 > at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:243) > at org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198) > at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807) > at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793) > at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196) > at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116) > at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:90) > at org.apache.ambari.server.security.authorization.AmbariLdapBindAuthenticator.authenticate(AmbariLdapBindAuthenticator.java:53) > at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178) > at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61) > at org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider.authenticate(AmbariLdapAuthenticationProvider.java:60) > at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) > at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) > at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > at org.apache.ambari.server.api.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:72) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > at org.apache.ambari.server.api.AmbariPersistFilter.doFilter(AmbariPersistFilter.java:47) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82) > at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:294) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) > at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557) > at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) > at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) > at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) > at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) > at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:209) > at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:198) > at org.apache.ambari.server.controller.AmbariHandlerList.handle(AmbariHandlerList.java:132) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) > at org.eclipse.jetty.server.Server.handle(Server.java:370) > at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494) > at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971) > at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033) > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) > at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) > at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) > at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) > at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) > at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) > at java.lang.Thread.run(Thread.java:745) > {code} > *Solution:* > If the LDAP search upon login to Ambari leads to multiple match user match due to the user appears in multiple domains show an error message to user prompting for providing domain as well to log-in. (e.g. _Login Failed: Please append your domain to your username and try again. Example: username@domain_) > When user provides domain information at login as well Ambari looks up the user in LDAP using different filter which is configurable. If this configuration is not set Ambari defaults to filter by _userPrincipalName_ -- This message was sent by Atlassian JIRA (v6.3.4#6332)