Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
To set the context, here is the authentication provider specification in a Knox topology file:
<provider>
<role>authentication</role>
<enabled>true</enabled>
<name>ShiroProvider</name>
<param>
<name>main.ldapRealm</name>
<value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid=
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://localhost:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
This allows configurable userDnTemplate to infer the bindDN based on the authenticating user name.
However, in enterprise use cases, it is not always possible to infer bindDN based on authenticating username using a template like this.
We have to do a search in the directory based on the userName mapped to a configurable attribute name to find the userDN. This means, we should add at least one additional configuration parameter such as
userSearchTemplate.
An example value for userSearchTemplate
(&(uid={0}
)(objectclass=inetorgperson))
BaseDN for search can be specified as part of
contextFactory.url
Commit a4383ec24c38c16f406255e77248daec32308242 in knox's branch refs/heads/master from darumugam
[ https://git-wip-us.apache.org/repos/asf?p=knox.git;h=a4383ec ]
KNOX-375: add functional test forKNOX-242find client bind dn using ldapsearch