hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-12782) Faster LDAP group name resolution with ActiveDirectory
Date Fri, 18 Mar 2016 15:12:34 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Wei-Chiu Chuang updated HADOOP-12782:
    Attachment: HADOOP-12782.003.patch

Described this experimental feature in the documentation.
Fast lookup is enabled by setting {{hadoop.security.group.mapping.ldap.search.attr.memberof}}
to {{memberOf}}, or any other non-empty value. Hadoop will lookup this attribute in the returned
user object if this property is set. If the fast lookup fails or disabled (by default), Hadoop
send two LDAP queries for group name resolution.

I have tested this patch against our internal Active Directory server and it worked as expected.

So far, I have not yet found any LDAP servers other than MS AD that support this feature.
Most other LDAP servers support user/group mapping by following RFC-2307 (An Approach for
Using LDAP as a Network Information Service). RFC-2307 defines {{posixAccount}} and {{posixGroup}}
objectClass; the former has attributes {{uidNumber}} and {{gidNumber}}, which are numerical
numbers, and therefore it is not possible to get group names from looking up the user object.

> Faster LDAP group name resolution with ActiveDirectory
> ------------------------------------------------------
>                 Key: HADOOP-12782
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12782
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>         Attachments: HADOOP-12782.001.patch, HADOOP-12782.002.patch, HADOOP-12782.003.patch
> The typical LDAP group name resolution works well under typical scenarios. However, we
have seen cases where a user is mapped to many groups (in an extreme case, a user is mapped
to more than 100 groups). The way it's being implemented now makes this case super slow resolving
groups from ActiveDirectory.
> The current LDAP group resolution implementation sends two queries to a ActiveDirectory
server. The first query returns a user object, which contains DN (distinguished name). The
second query looks for groups where the user DN is a member. If a user is mapped to many groups,
the second query returns all group objects associated with the user, and is thus very slow.
> After studying a user object in ActiveDirectory, I found a user object actually contains
a "memberOf" field, which is the DN of all group objects where the user belongs to. Assuming
that an organization has no recursive group relation (that is, a user A is a member of group
G1, and group G1 is a member of group G2), we can use this properties to avoid the second
query, which can potentially run very slow.
> I propose that we add a configuration to only enable this feature for users who want
to reduce group resolution time and who does not have recursive groups, so that existing behavior
will not be broken.

This message was sent by Atlassian JIRA

View raw message