ZEPPELIN-6171 Add FreeIPA authentication with memberOf attribute for groups maping

[ruslanfialkovskii]

trafficstars

What is this PR for?

This pull request introduces support for LDAP authentication using the memberOf attribute, retrieving user group memberships from LDAP systems like FreeIPA.

Problem Previously, Zeppelin's LdapRealm could only determine group memberships by searching all groups in the LDAP directory and checking if the user was a member of each group. This approach doesn't properly support nested group memberships in systems that use the memberOf attribute like FreeIPA.

Solution This PR adds the ability to use the memberOf attribute for determining group memberships by:

Adding configuration options to enable memberOf attribute support:

Implementing a new code path in the rolesFor method that:

Searches for the user and retrieves their memberOf attribute values Correctly extracts group names from the memberOf Distinguished Names Maps these group names to roles based on the configured rolesByGroup mapping Properly handling the LDAP Distinguished Name (DN) component order when extracting group names by iterating through the DN components in the correct order

What type of PR is it?

Improvement

Please leave your type of PR only

Todos

• [ ] - Task

What is the Jira issue?

[ZEPPELIN-6171]

How should this be tested?

added automated unit tests for any new or changed behavior

[ruslanfialkovskii]

Hello. Any chance to pass a review?

[jongyoul]

Let me start to review it soon.

[Reamer]

The rolesFor method reaches a very high level of complexity with the change. Please introduce private methods to reduce the complexity.