[
https://issues.apache.org/jira/browse/HIVE-4707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13749308#comment-13749308
]
Mikhail Antonov commented on HIVE-4707:
---------------------------------------
There's email thread regarding LDAP auth for openldap..
http://osdir.com/ml/general/2013-08/msg42378.html
Essentially, if baseDN isn't set, then the bind string is formed as follows:
// setup the security principal
String bindDN;
if (baseDN != null) {
bindDN = "uid=" + user + "," + baseDN;
} else {
bindDN = user;
}
There should be some configuration, allowing people to customize this bind
string, for example use cn= instead of uid=.
Can provide a patch if wanted..
> Support configurable domain name for HiveServer2 LDAP authentication using
> Active Directory
> -------------------------------------------------------------------------------------------
>
> Key: HIVE-4707
> URL: https://issues.apache.org/jira/browse/HIVE-4707
> Project: Hive
> Issue Type: Bug
> Components: HiveServer2
> Affects Versions: 0.11.0
> Reporter: Prasad Mujumdar
> Assignee: Prasad Mujumdar
> Fix For: 0.12.0
>
> Attachments: HIVE-4707-1.patch
>
>
> LDAP providers like Active Directory use a fully qualified user name in
> user@domain format. For HiveServer2 LDAP auth can be used with active
> directory by passing the userid in that format. This causes hive
> authentication module to retrun the username in that mangled format. This
> prohibits LDAP users to be impersonated over secure hadoop or reported
> correctly in audit etc.
> HiveServer2 should support a configurable LDAP domain that is appended to the
> user name.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
