Description
This change is meant to allowing user params to take precedence over hive params. Currently, it's the other way around.
Particularly, if you have the situation where you have a large number of users who use an authentication method other than the default basic, but your service account (AGG_SERVICE_ACCOUNT) is using basic then you need to specify a user param for each of your users.
With this change, you can set default authentication params in pm_hive_params for all users, and then set your service account specifically to be authentication_method = 'BASIC'. May seem like a small change, but it would be very welcome not to need to assign params for each new user at our institution.
In the process of making this change, I re-organized basic authentication into its own package and removed some code duplication.
Particularly, if you have the situation where you have a large number of users who use an authentication method other than the default basic, but your service account (AGG_SERVICE_ACCOUNT) is using basic then you need to specify a user param for each of your users.
With this change, you can set default authentication params in pm_hive_params for all users, and then set your service account specifically to be authentication_method = 'BASIC'. May seem like a small change, but it would be very welcome not to need to assign params for each new user at our institution.
In the process of making this change, I re-organized basic authentication into its own package and removed some code duplication.
Attachments
Activity
Field | Original Value | New Value |
---|---|---|
Status | New [ 10000 ] | Open [ 1 ] |
Fix Version/s | 1.7.13 [ 10902 ] |
Resolution | Fixed [ 1 ] | |
Status | Open [ 1 ] | Resolved [ 5 ] |
Assignee | Jeffrey Klann [ jklann ] |
Comment |
[ Active Directory enables other methods of binding which are more flexible besides just using the distinguished name. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6a5891b8-928e-4b75-a4a5-0e3b77eaca52. This change is to enable binding the the User Principle Name form, which is very convenient when the distinguished names for users is not easily available (OU by department, etc.).
"For AD DS, the name forms are tried in the order they are listed below. For AD LDS, the name forms are tried in the order below, except that forms marked "Only for AD DS" are not tried, and the User Principal Name (UPN) mapping (the second form below) is tried last. The name forms are: The DN of the object. The user principal name (UPN) of the object. The UPN of an object is either: A value of the userPrincipalName attribute of the object, or Only for AD DS: The value of the sAMAccountName attribute of the object, followed by a "@" sign, followed by either: The DNS name of a domain in the same forest as the object, or A value in the uPNSuffixes attribute of the Partitions container in the config NC replica." ] |