Support LDAP with anonymous bind disabled #11714

findepi · 2018-10-15T13:56:11Z

For many users, enabling anonymous bind is not an option from security
perspective.

When anonymous bind is disabled, Presto would fail with

1) Error injecting constructor, java.lang.RuntimeException: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
  at com.facebook.presto.password.LdapAuthenticator.<init>(LdapAuthenticator.java:66)
  at com.facebook.presto.password.LdapAuthenticatorFactory.lambda$create$0(LdapAuthenticatorFactory.java:43)
  while locating com.facebook.presto.password.LdapAuthenticator

1 error
	at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:543)
	at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:186)
	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:109)
	at com.google.inject.Guice.createInjector(Guice.java:87)
	at io.airlift.bootstrap.Bootstrap.initialize(Bootstrap.java:240)
	at com.facebook.presto.password.LdapAuthenticatorFactory.create(LdapAuthenticatorFactory.java:50)
	at com.facebook.presto.server.security.PasswordAuthenticatorManager.loadPasswordAuthenticator(PasswordAuthenticatorManager.java:75)
	at com.facebook.presto.server.PrestoServer.run(PrestoServer.java:131)
	at com.facebook.presto.server.PrestoServer.main(PrestoServer.java:67)
Caused by: java.lang.RuntimeException: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
	at com.facebook.presto.password.LdapAuthenticator.checkEnvironment(LdapAuthenticator.java:184)
	at com.facebook.presto.password.LdapAuthenticator.<init>(LdapAuthenticator.java:79)
	at com.facebook.presto.password.LdapAuthenticator$$FastClassByGuice$$ca2e0ce1.newInstance(<generated>)
	at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89)
	at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
	at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
	at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
	at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
	at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:148)
	at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39)
	at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:211)
	at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:182)
	... 7 more
Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3145)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
	at javax.naming.InitialContext.init(InitialContext.java:244)
	at javax.naming.InitialContext.<init>(InitialContext.java:216)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
	at com.facebook.presto.password.jndi.JndiUtils.createDirContext(JndiUtils.java:30)
	at com.facebook.presto.password.LdapAuthenticator.checkEnvironment(LdapAuthenticator.java:181)
	... 18 more

Fixes #8569

For many users, enabling anonymous bind is not an option from security perspective.

electrum

Remember to update to the released image before merging

alrolorojas · 2019-01-11T16:14:40Z

@electrum @findepi 👋 A quick question, we're looking at this as we require anonymous bind to be disabled to integrate Presto with our LDAP server. When it gets disabled a user and password are required to authenticate against the LDAP server. Are those new Presto properties added in order to set bind username and pswd as part of this PR?

I missed that bit in the PR code.

findepi · 2019-01-11T19:47:27Z

@alrolorojas i think you may be referring to #11917?

findepi added 2 commits October 15, 2018 15:42

TMP use non-release yet openldap image

42aed9c

Support LDAP with anonymous bind disabled

77aa30d

For many users, enabling anonymous bind is not an option from security perspective.

facebook-github-bot added the CLA Signed label Oct 15, 2018

electrum approved these changes Oct 16, 2018

View reviewed changes

findepi mentioned this pull request Jan 29, 2019

Support LDAP with anonymous bind disabled trinodb/trino#97

Merged

findepi closed this Jan 29, 2019

findepi deleted the findepi/nonanon branch January 29, 2019 10:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support LDAP with anonymous bind disabled #11714

Support LDAP with anonymous bind disabled #11714

findepi commented Oct 15, 2018 •

edited

Loading

electrum left a comment

alrolorojas commented Jan 11, 2019

findepi commented Jan 11, 2019

Support LDAP with anonymous bind disabled #11714

Support LDAP with anonymous bind disabled #11714

Conversation

findepi commented Oct 15, 2018 • edited Loading

electrum left a comment

Choose a reason for hiding this comment

alrolorojas commented Jan 11, 2019

findepi commented Jan 11, 2019

findepi commented Oct 15, 2018 •

edited

Loading