Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HPCC-19884 Allow for HPCC to use other "adminstrators" group #12421

Merged
merged 1 commit into from
Apr 8, 2019
Merged

HPCC-19884 Allow for HPCC to use other "adminstrators" group #12421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion esp/scm/ws_access.ecm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ ESPrequest UserEditRequest
ESPresponse UserEditResponse
{
string username;
[min_ver("1.13")] bool isLDAPAdmin;
ESParray<ESPstruct GroupInfo, Group> Groups;
};

Expand Down Expand Up @@ -977,7 +978,7 @@ ESPresponse [nil_remove] UserAccountExportResponse
[http_content("application/octet-stream")] binary Result;
};

ESPservice [version("1.12"), auth_feature("NONE"), exceptions_inline("./smc_xslt/exceptions.xslt")] ws_access
ESPservice [version("1.13"), auth_feature("NONE"), exceptions_inline("./smc_xslt/exceptions.xslt")] ws_access
{
ESPmethod [client_xslt("/esp/xslt/access_users.xslt")] Users(UserRequest, UserResponse);
ESPmethod [client_xslt("/esp/xslt/access_useredit.xslt")] UserEdit(UserEditRequest, UserEditResponse);
Expand Down
3 changes: 3 additions & 0 deletions esp/services/ws_access/ws_accessService.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -583,6 +583,9 @@ bool Cws_accessEx::onUserEdit(IEspContext &context, IEspUserEditRequest &req, IE
throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
resp.setUsername(req.getUsername());
double version = context.getClientVersion();
if (version >= 1.13)
resp.setIsLDAPAdmin(ldapsecmgr->isSuperUser(context.queryUser()));

StringArray groupnames;
ldapsecmgr->getGroups(req.getUsername(), groupnames);
Expand Down
7 changes: 7 additions & 0 deletions initfiles/componentfiles/configxml/ldapserver.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,13 @@
</xs:appinfo>
</xs:annotation>
</xs:attribute>
<xs:attribute name="adminGroupName" type="xs:string" use="optional" default="Administrators">
<xs:annotation>
<xs:appinfo>
<tooltip>The Active Directory group containing HPCC Administrators</tooltip>
</xs:appinfo>
</xs:annotation>
</xs:attribute>
<xs:attribute name="ldapPort" type="xs:nonNegativeInteger" use="optional" default="389">
<xs:annotation>
<xs:appinfo>
Expand Down
26 changes: 19 additions & 7 deletions system/security/LdapSecurity/ldapconnection.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,7 @@ class CLdapConfig : implements ILdapConfig, public CInterface

int m_ldapport;
int m_ldap_secure_port;
StringBuffer m_adminGroupName;
StringBuffer m_protocol;
StringBuffer m_basedn;
StringBuffer m_domain;
Expand Down Expand Up @@ -393,6 +394,12 @@ class CLdapConfig : implements ILdapConfig, public CInterface
{
throw MakeStringException(-1, "getServerInfo error - %s", ldap_err2string(rc));
}

m_adminGroupName.clear();
cfg->getProp(".//@adminGroupName", m_adminGroupName);
if(m_adminGroupName.isEmpty())
m_adminGroupName.set(m_serverType == ACTIVE_DIRECTORY ? "Administrators" : "Directory Administrators");

const char* basedn = cfg->queryProp(".//@commonBasedn");
if(basedn == NULL || *basedn == '\0')
{
Expand Down Expand Up @@ -531,6 +538,11 @@ class CLdapConfig : implements ILdapConfig, public CInterface
m_sdfieldname.append("aci");
}

virtual const char * getAdminGroupName()
{
return m_adminGroupName.str();
}

virtual LdapServerType getServerType()
{
return m_serverType;
Expand Down Expand Up @@ -4922,16 +4934,16 @@ class CLdapClient : implements ILdapClient, public CInterface
LdapServerType stype = m_ldapconfig->getServerType();
if(stype == ACTIVE_DIRECTORY)
{
groupdn.append("cn=Administrators,cn=Builtin,").append(m_ldapconfig->getBasedn());
}
else if(stype == IPLANET)
{
groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
if (0 == stricmp(m_ldapconfig->getAdminGroupName(), "Administrators"))
groupdn.append("cn=Administrators,cn=Builtin,").append(m_ldapconfig->getBasedn());
else
groupdn.appendf("cn=%s,%s", m_ldapconfig->getAdminGroupName(), m_ldapconfig->getGroupBasedn());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getGroupBasedn() or getBasedn()?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Administrators is an LDAP system group and is stored in a different location (baseDN) than user groups (GroupsBaseDN)

}
else if(stype == OPEN_LDAP)
else if(stype == IPLANET || stype == OPEN_LDAP)
{
groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
groupdn.appendf("cn=%s,%s", m_ldapconfig->getAdminGroupName(), m_ldapconfig->getBasedn());
}

}

virtual void changeUserMemberOf(const char* action, const char* userdn, const char* groupdn)
Expand Down