[useradmin] HUE-9137 Enable Hue validate ldap_cert by default unless user configs it explicitly to false

Review Request #14736 — Created Feb. 3, 2020 and updated

weixia
hue
hue2020
HUE-9137
hue
bgooley, romain, yingc

Enable Hue validate ldap_cert by default unless user configs it explicitly to false

Upload the diff to secure and unsecure clusters

LDAP user can log in with following configs:
ldaps+cert +validate(True)
ldaps+ no cert +validate(False)
ldaps cert validate(False)

Fails with error (ldaps + No Cert + Validate(True) as expected:
[03/Feb/2020 11:53:44 -0800] forms ERROR LDAP auth error: LDAP_CERT is required when LDAPS or StartTLS is configured!

bgooley
  1. Authentication seems to work as expected.
    LDAP Sync has a couple of issues.

    (1)
    This should be LOG.error (not LOG.Error):
    In ldap_access.py:
    LOG.Error("Not able to connect with LDAP server: %s, error: %s" % (ldap_url,e))

    (2)

    If there is a connection failure, an uncaught exception is thrown in hue/apps/useradmin/src/useradmin/views.py

      File "/opt/cloudera/parcels/CDH-6.3.0-1.cdh6.3.0.p0.1279813/lib/hue/apps/useradmin/src/useradmin/views.py", line 906, in _import_ldap_users
        user_info = connection.find_users(username_pattern, find_by_dn=import_by_dn)
    AttributeError: 'NoneType' object has no attribute 'find_users'
    

    I think this is an issue that has always been around due to the logic here where "import_ldap_users()" is in the try: block. This means even if the connection fails, we attempt to import users.
    We should probably move "import_ldap_users()" to after the try/accept block and check that a connection was made successfully.
    Impacted code:

      server = form.cleaned_data.get('server')
      try:
        failed_ldap_users = []
        connection = ldap_access.get_connection_from_server(server)
        users = import_ldap_users(connection, username_pattern, False, import_by_dn, failed_users=failed_ldap_users)
      except (ldap.LDAPError, LdapBindException), e:
        LOG.error("LDAP Exception: %s" % smart_str(e))
        raise PopupException(smart_str(_('There was an error when communicating with LDAP: %s')) % str(e))
      except ValidationError, e:
        LOG.error("LDAP Exception: %s" % smart_str(e))
        raise PopupException(smart_str(_('There was a problem with some of the LDAP information: %s')) % str(e))
    
  2. 
      
Loading...