Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-242

knox needs to support basedn, search attribute based LDAP authentication

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • None
    • Server
    • None

    Description

      To set the context, here is the authentication provider specification in a Knox topology file:

      <provider>
      <role>authentication</role>
      <enabled>true</enabled>
      <name>ShiroProvider</name>
      <param>
      <name>main.ldapRealm</name>
      <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
      </param>
      <param>
      <name>main.ldapRealm.userDnTemplate</name>
      <value>uid=

      {0},ou=people,dc=hadoop,dc=apache,dc=org</value>
      </param>
      <param>
      <name>main.ldapRealm.contextFactory.url</name>
      <value>ldap://localhost:33389</value>
      </param>
      <param>
      <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
      <value>simple</value>
      </param>
      <param>
      <name>urls./**</name>
      <value>authcBasic</value>
      </param>
      </provider>

      This allows configurable userDnTemplate to infer the bindDN based on the authenticating user name.

      However, in enterprise use cases, it is not always possible to infer bindDN based on authenticating username using a template like this.
      We have to do a search in the directory based on the userName mapped to a configurable attribute name to find the userDN. This means, we should add at least one additional configuration parameter such as
      userSearchTemplate.

      An example value for userSearchTemplate
      (&(uid={0}

      )(objectclass=inetorgperson))

      BaseDN for search can be specified as part of

      contextFactory.url

      Attachments

        1. KNOX-375.patch
          20 kB
          Dilli Arumugam
        There are no Sub-Tasks for this issue.

        Activity

          Commit a4383ec24c38c16f406255e77248daec32308242 in knox's branch refs/heads/master from darumugam
          [ https://git-wip-us.apache.org/repos/asf?p=knox.git;h=a4383ec ]

          KNOX-375: add functional test for KNOX-242 find client bind dn using ldapsearch

          jira-bot ASF subversion and git services added a comment - Commit a4383ec24c38c16f406255e77248daec32308242 in knox's branch refs/heads/master from darumugam [ https://git-wip-us.apache.org/repos/asf?p=knox.git;h=a4383ec ] KNOX-375 : add functional test for KNOX-242 find client bind dn using ldapsearch
          darumugam Dilli Arumugam added a comment - Please see one pager describing proposed enhancement at Wiki https://cwiki.apache.org/confluence/display/KNOX/KNOX-242-support+basedn,+search+attribute+based+LDAP+authentication

          People

            darumugam Dilli Arumugam
            darumugam Dilli Arumugam
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: