Major Description
See the output below. The use of searchBase and userSearchBase are interchangeable but the diagnostics don't take that into account.
bin/knoxcli.sh system-user-auth-test --cluster admin
Warn: main.ldapRealm.searchBase is not present in topology
main.ldapRealm.userSearchAttributeName or main.ldapRealm.userObjectClass or main.ldapRealm.searchBase was found in the topology
If any one of the above params is present, all must be present.
Topology warnings present. SystemUser may not bind.
System LDAP Bind successful.
for this correct topology
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param name="main.ldapRealm" value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm"/>
<param name="main.ldapContextFactory" value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory"/>
<param name="main.ldapRealm.contextFactory" value="$ldapContextFactory"/>
<param name="main.ldapRealm.contextFactory.url" value="ldap://ad-nano.qe.hortonworks.com:389"/>
<param name="main.ldapRealm.contextFactory.authenticationMechanism" value="simple"/>
<param name="main.ldapRealm.contextFactory.systemUsername" value="CN=Kevin Minder,CN=Users,DC=hwqe,DC=hortonworks,DC=com"/>
<param name="main.ldapRealm.contextFactory.systemPassword" value="p@ssw0rd"/>
<param name="main.ldapRealm.userSearchBase" value="CN=Users,DC=hwqe,DC=hortonworks,DC=com"/>
<param name="main.ldapRealm.userSearchAttributeName" value="sAMAccountName"/>
<param name="main.ldapRealm.userObjectClass" value="person"/>
<param name="urls./**" value="authcBasic"/>
</provider>
</gateway>
<service>
<role>KNOX</role>
</service>
</topology>