hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9477) posixGroups support for LDAP groups mapping service
Date Fri, 26 Apr 2013 21:14:16 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13643250#comment-13643250
] 

Kai Zheng commented on HADOOP-9477:
-----------------------------------

Hi Daryn,
 
Thanks for your comment.

For posixGroups, possible procedure can be:
userDn = ldap_lookup( (&(objectClass=posixAccount)(uid={0})) )
gidNumberX = userDn.gidNumber
groupDn = ldap_lookup((&(objectClass=posixGroup)(gidNumber={0})), gidNumberX )
Then groupDn is the expected group for that user.
Note here one user may have more groups.
 
For the member attribute, it can only be used for group like:
objectClass: XGroup
groupName: testgroup
member: user1
member: user2
…
 
For such group the procedure is something like below as current LdapGroupsMapping does:
userDn = ...
username = userDn.name
groupDn = ldap_lookup(((&(objectClass=XGroup)(member={0})), username)
Then groupDn is the expected group for that user.

As you can see the procedure for posixGroups is different from current implementation. That’s
why it requires extra effort.
                
> posixGroups support for LDAP groups mapping service
> ---------------------------------------------------
>
>                 Key: HADOOP-9477
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9477
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 2.0.5-beta
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> It would be nice to support posixGroups for LdapGroupsMapping service. Below is from
current description for the provider:
> hadoop.security.group.mapping.ldap.search.filter.group:
> An additional filter to use when searching for LDAP groups. This should be
> changed when resolving groups against a non-Active Directory installation.
> posixGroups are currently not a supported group class.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message