opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
199 stars 278 forks source link

[Maintenance] Migrate ldaptive to version 2.x or UnboundID LDAP SDK 6.x #2959

Open willyborankin opened 1 year ago

willyborankin commented 1 year ago

Is your feature request related to a problem? Currently we use very old version of ldaptive 1.2.3 which were released in 2017. The reason we can't use high versions is that prior JDK 14 (fix backported to JDK 11.0.8) LDAP JNDI was broken (https://bugs.openjdk.org/browse/JDK-8217606) and ldaptive was switched to unboundid-ldapsdk instead of JNDI prior version 2.x.

What solution would you like? The new ldaptive version 2.x does not use any other LDAP providers like unboundid or JNDI, instead authors implements this list of controls:

Supported controls:

    Authorization Identity (RFC 3829)
    Content Synchronization (RFC 4533)
    Entry Change Notification (draft-ietf-ldapext-psearch-03)
    ManageDsaIT (RFC 3296)
    Matched Values (RFC 3876)
    Paged Results (RFC 2696)
    Password Policy (draft-behera-ldap-password-policy-10 and draft-vchu-ldap-pwd-policy-00)
    Persistent Search (draft-ietf-ldapext-psearch-03)
    Proxy Authorization (RFC 4370)
    Server Side Sorting (RFC 2891)
    Session Tracking (draft-wahl-ldap-session-03)
    Tree Delete (draft-armijo-ldap-treedelete)
    Virtual List View (draft-ietf-ldapext-ldapv3-vlv-09)

and use as a dependency only netty .

What alternatives have you considered? It is possible to switch on unboundid-ldapsdk , but AFAIU it has limitations license limitations. Starting version 5.0.0 it has only one license Apache License, Version 2.0. https://github.com/pingidentity/ldapsdk/blob/master/LICENSE.md.

stephen-crawford commented 1 year ago

[Triage] This sounds like a good idea, going to mark this as help wanted.