modifyTimestamp support for Ranger

glauth / glauth

A lightweight LDAP server for development, home use, or CI

MIT License

2.42k stars 218 forks source link

modifyTimestamp support for Ranger #427

Open shipperizer opened 5 months ago

shipperizer commented 5 months ago

We are having issues when trying to integrate GLAuth with Apache Ranger

Ranger has a usersync functionality which periodically syncs from LDAP users and groups information using the modifyTimestamp objectclass with the person or PosixAccount

The modifyTimestamp does not appear to be present in GLAuth, th value is used to optionally sync only changed entities since the last operation.

could we have some directions on how to implement this in GLAuth?

Fusion commented 5 months ago

I just realized something: normally this attribute would be updated by the server every time we perform a LDAP modify operation. At this time, GLAuth does not have LDAP modify operations since it's read-only.

I can think of two distinct scenario:

GLAuth is acting as a LDAP proxy -> this attribute should be automatically forwarded; let me know if it isn't
GLAuth is using its own backend -> updates being performed out of bound, the configuration file or database would need this field updated as well; either by the operator, or perhaps using a stored procedure

What use case are we trying to satisfy? If it's the proxy one, are we failing to forward the attribute?

shipperizer commented 4 months ago

design is for GLAuth to be acting as a proxy

we lost the ball on this but will try it and check that all works as expected and report back if something is missing