You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Shawn Heisey <ap...@elyograg.org> on 2023/03/24 14:39:31 UTC
LDAP authentication with Solr 9.1.1 or later
I asked before about Active Directory, and never found any instructions
on how to configure it.
I have info for connecting with LDAP at the site, and I have read that
Solr supports LDAP, but actually can't see any way to configure it.
Everything I can find uses third party software. The only one I found
that I could actually use involves entirely replacing Solr's BasicAuth
plugin, which I do not want to do. Also, it only talks about version
7.1.0, so I suspect it won't work with 9.x.
Can I authenticate to LDAP with Solr 9.1.1 (or later, when 9.2.0 comes
out), using only included software?
Nothing that I found even with third-party software indicated how to map
LDAP users to Solr's authorization, so if I can find a solution, it will
need that info.
Thanks,
Shawn
Re: LDAP authentication with Solr 9.1.1 or later
Posted by Kevin Risden <kr...@apache.org>.
I thought there was a way to configure the user/group filter for the users
using Hadoop authentication. It was something
like hadoop.security.group.mapping.ldap - but I haven't looked at it in
years. I can't seem to find a reference right now.
Kevin Risden
On Sat, Mar 25, 2023 at 2:02 AM Shawn Heisey <ap...@elyograg.org> wrote:
> On 3/24/23 21:03, Shawn Heisey wrote:
> > On 3/24/23 20:39, Kevin Risden wrote:
> >> I personally haven't tried it but I would guess it takes the
> >> principal/username and you can map it to whatever roles you want using
> >> "user-role":
> >>
> >>
> https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html#configuration-syntax
> One more question about the authentication part: The other ldap
> configurations in use at this site specify an ldap group that the users
> must be a member of in order to get authenticated at all.
>
> I searched HadoopAuthPlugin.java for group and found nothing. Is there
> a way to specify that?
>
> Thanks,
> Shawn
>
Re: LDAP authentication with Solr 9.1.1 or later
Posted by Shawn Heisey <ap...@elyograg.org>.
On 3/24/23 21:03, Shawn Heisey wrote:
> On 3/24/23 20:39, Kevin Risden wrote:
>> I personally haven't tried it but I would guess it takes the
>> principal/username and you can map it to whatever roles you want using
>> "user-role":
>>
>> https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html#configuration-syntax
One more question about the authentication part: The other ldap
configurations in use at this site specify an ldap group that the users
must be a member of in order to get authenticated at all.
I searched HadoopAuthPlugin.java for group and found nothing. Is there
a way to specify that?
Thanks,
Shawn
Re: LDAP authentication with Solr 9.1.1 or later
Posted by Shawn Heisey <ap...@elyograg.org>.
On 3/24/23 20:39, Kevin Risden wrote:
> I personally haven't tried it but I would guess it takes the
> principal/username and you can map it to whatever roles you want using
> "user-role":
>
> https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html#configuration-syntax
Does the hadoop ldap auth plugin provide a shortened name as described
in ref guide page on authorization? What is the significance of the
sysPropPrefix setting? Does it only affect Solr, or does it have
significance for the LDAP server?
I think this means I can't edit the security setup using the admin UI,
which is disappointing but not surprising.
Trying to think up a way to test this. I only have a Windows VM in the
target environment that I can experiment on. I don't want to modify the
actual servers until I've worked out the kinks. Maybe a docker image?
Thanks,
Shawn
Re: LDAP authentication with Solr 9.1.1 or later
Posted by Kevin Risden <kr...@apache.org>.
I personally haven't tried it but I would guess it takes the
principal/username and you can map it to whatever roles you want using
"user-role":
https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html#configuration-syntax
Kevin Risden
On Fri, Mar 24, 2023 at 10:21 PM Shawn Heisey <el...@elyograg.org> wrote:
> On 3/24/23 09:59, Kevin Risden wrote:
> > I forgot I wrote a blog about it -
> >
> https://risdenk.github.io/2018/11/20/apache-solr-hadoop-authentication-plugin-ldap.html
> >
> > Kevin Risden
>
> Nice! Thank you for sharing!
>
> This is also missing any information describing how to map users to
> Solr's authorization roles. Do you have an example of that?
>
> Thanks,
> Shawn
>
>
Re: LDAP authentication with Solr 9.1.1 or later
Posted by Shawn Heisey <el...@elyograg.org>.
On 3/24/23 09:59, Kevin Risden wrote:
> I forgot I wrote a blog about it -
> https://risdenk.github.io/2018/11/20/apache-solr-hadoop-authentication-plugin-ldap.html
>
> Kevin Risden
Nice! Thank you for sharing!
This is also missing any information describing how to map users to
Solr's authorization roles. Do you have an example of that?
Thanks,
Shawn
Re: LDAP authentication with Solr 9.1.1 or later
Posted by Kevin Risden <kr...@apache.org>.
I forgot I wrote a blog about it -
https://risdenk.github.io/2018/11/20/apache-solr-hadoop-authentication-plugin-ldap.html
Kevin Risden
On Fri, Mar 24, 2023, 11:27 Kevin Risden <kr...@apache.org> wrote:
> I think its possible with
> https://solr.apache.org/guide/solr/latest/deployment-guide/hadoop-authentication-plugin.html
>
> Specifically under "LDAP Configuration" -
> https://hadoop.apache.org/docs/stable/hadoop-auth/Configuration.html
>
> It is not exactly laid out in a simple way, but I think all the pieces are
> there to configure it.
>
> Be aware of https://issues.apache.org/jira/browse/SOLR-16240
>
> Kevin Risden
>
>
> On Fri, Mar 24, 2023 at 10:40 AM Shawn Heisey <ap...@elyograg.org> wrote:
>
>> I asked before about Active Directory, and never found any instructions
>> on how to configure it.
>>
>> I have info for connecting with LDAP at the site, and I have read that
>> Solr supports LDAP, but actually can't see any way to configure it.
>> Everything I can find uses third party software. The only one I found
>> that I could actually use involves entirely replacing Solr's BasicAuth
>> plugin, which I do not want to do. Also, it only talks about version
>> 7.1.0, so I suspect it won't work with 9.x.
>>
>> Can I authenticate to LDAP with Solr 9.1.1 (or later, when 9.2.0 comes
>> out), using only included software?
>>
>> Nothing that I found even with third-party software indicated how to map
>> LDAP users to Solr's authorization, so if I can find a solution, it will
>> need that info.
>>
>> Thanks,
>> Shawn
>>
>
Re: LDAP authentication with Solr 9.1.1 or later
Posted by Kevin Risden <kr...@apache.org>.
I think its possible with
https://solr.apache.org/guide/solr/latest/deployment-guide/hadoop-authentication-plugin.html
Specifically under "LDAP Configuration" -
https://hadoop.apache.org/docs/stable/hadoop-auth/Configuration.html
It is not exactly laid out in a simple way, but I think all the pieces are
there to configure it.
Be aware of https://issues.apache.org/jira/browse/SOLR-16240
Kevin Risden
On Fri, Mar 24, 2023 at 10:40 AM Shawn Heisey <ap...@elyograg.org> wrote:
> I asked before about Active Directory, and never found any instructions
> on how to configure it.
>
> I have info for connecting with LDAP at the site, and I have read that
> Solr supports LDAP, but actually can't see any way to configure it.
> Everything I can find uses third party software. The only one I found
> that I could actually use involves entirely replacing Solr's BasicAuth
> plugin, which I do not want to do. Also, it only talks about version
> 7.1.0, so I suspect it won't work with 9.x.
>
> Can I authenticate to LDAP with Solr 9.1.1 (or later, when 9.2.0 comes
> out), using only included software?
>
> Nothing that I found even with third-party software indicated how to map
> LDAP users to Solr's authorization, so if I can find a solution, it will
> need that info.
>
> Thanks,
> Shawn
>