Skip to content

Commit

Permalink
Allow complex expressions in external authentication LDAP search filt…
Browse files Browse the repository at this point in the history 
…ers (#163)

* Add option for complex LDAP search filters. Older implementation assumed all ldap filters end with "={0}". This newer implementation allows the user to craft any legal filter expression, including complex compound expressions, like ((&(member={0})(objectclass=posixgroup)(!(cn=admin))). This example would handle the IPA group search filter for ECS 1.5.x

Signed-off-by: Chuck Levesque <clevesque@cloudera.com>
  • Loading branch information
@clevesque
clevesque authored Dec 6, 2023
1 parent 90c8f98 commit b5b5c88
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,24 @@ LDAP_BIND_DN: {{ auth_provider.ldap_bind_user_dn | default(None) }}
LDAP_BIND_PW: {{ auth_provider.ldap_bind_password | default(None) }}
LDAP_DN_PATTERN: {{ auth_provider.ldap_dn_pattern | default(None) }}
LDAP_GROUP_SEARCH_BASE: {{ auth_provider.ldap_search_base.group | default(None) }}
{% if auth_provider.ldap_search_filter.group is defined %}
LDAP_GROUP_SEARCH_FILTER: "{{ auth_provider.ldap_search_filter.group }}"
{% else %}
LDAP_GROUP_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.member | default('member') }}={0})"
{% endif %}
LDAP_TYPE: {{ auth_provider.type | cloudera.cluster.to_ldap_type_enum | default(None) }}
LDAP_URL: {{ auth_provider.ldap_url | default(None) }}
LDAP_USER_SEARCH_BASE: {{ auth_provider.ldap_search_base.user | default(None) }}
{% if auth_provider.ldap_search_filter.user is defined %}
LDAP_USER_SEARCH_FILTER: "{{ auth_provider.ldap_search_filter.user }}"
{% else % }
LDAP_USER_SEARCH_FILTER: "({{ auth_provider.ldap_attribute.user | default('sAMAccountName') }}={0})"
{% endif %}
NT_DOMAIN: {{ auth_provider.domain | default(None) }}
{% if cloudera_manager_version is version('7.1.0','>=') %}
FRONTEND_URL: {{ frontend_url | default(None) }}
PROXYUSER_KNOX_GROUPS: "{{ proxyuser_knox_groups | default('*') }}"
PROXYUSER_KNOX_USERS: "{{ proxyuser_knox_users | default('*') }}"
PROXYUSER_KNOX_HOSTS: "{{ proxyuser_knox_hosts | default('*') }}"
PROXYUSER_KNOX_PRINCIPAL: "{{ proxyuser_knox_principal | default('knox') }}"
{% endif %}
{% endif %}

0 comments on commit b5b5c88

Please sign in to comment.