[KNOX-242] knox needs to support basedn, search attribute based LDAP authentication - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Server
Labels:
None

Description

To set the context, here is the authentication provider specification in a Knox topology file:

<provider>
<role>authentication</role>
<enabled>true</enabled>
<name>ShiroProvider</name>
<param>
<name>main.ldapRealm</name>
<value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid=

{0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://localhost:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>

This allows configurable userDnTemplate to infer the bindDN based on the authenticating user name.

However, in enterprise use cases, it is not always possible to infer bindDN based on authenticating username using a template like this.
We have to do a search in the directory based on the userName mapped to a configurable attribute name to find the userDN. This means, we should add at least one additional configuration parameter such as
userSearchTemplate.

An example value for userSearchTemplate
(&(uid={0}

)(objectclass=inetorgperson))

BaseDN for search can be specified as part of

contextFactory.url

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

KNOX-375.patch
20/May/14 01:05
20 kB
Dilli Arumugam

Sub-Tasks

1.	add support for new config param userSearchAttributeName	Closed	Dilli Arumugam
2.	add support for new config param userSearchBase	Closed	Dilli Arumugam
3.	add support for new config param groupSearchBase	Closed	Dilli Arumugam
4.	add support for new config param userObjectClass	Closed	Dilli Arumugam
5.	group membership lookup need to use userdn computed by search	Closed	Dilli Arumugam
6.	add unit tests to check default values for userSearchAttributeName, userObjectClass	Closed	Dilli Arumugam
7.	add unit tests to verify default values for userSearchBase, groupSearchBase	Closed	Dilli Arumugam
8.	KnoxLdapRealm does not default values correctly for userSearchBase and groupSearchBase	Closed	Dilli Arumugam
9.	add functional test for KNOX-242 find client bind dn using ldapsearch	Closed	Dilli Arumugam
10.	create a wiki one pager for KNOX-242	Closed	Dilli Arumugam
11.	log computed bind dn and the mechanism to help diagnostics	Closed	Dilli Arumugam
12.	update topology template files to use KnoxLdapRealm	Closed	Dilli Arumugam
13.	replace JndiLdapRealm with KnoxLdapRelam in unit tests and functional tests	Closed	Dilli Arumugam
14.	add user documentation for search attribute based LDAP authentication	Closed	Larry McCay

Activity

People

Assignee:: Dilli Arumugam

Reporter:: Dilli Arumugam

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05/Feb/14 05:57

Updated:: 28/Mar/19 14:19

Resolved:: 20/May/14 01:05