You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by km...@apache.org on 2016/03/17 16:41:04 UTC
svn commit: r1735445 - in /knox: site/books/knox-0-9-0/user-guide.html
site/index.html site/issue-tracking.html site/license.html
site/mail-lists.html site/project-info.html site/team-list.html
trunk/books/0.9.0/config_advanced_ldap.md
Author: kminder
Date: Thu Mar 17 15:41:03 2016
New Revision: 1735445
URL: http://svn.apache.org/viewvc?rev=1735445&view=rev
Log:
[KNOX-694] - Enhance LDAP user search configurability
Modified:
knox/site/books/knox-0-9-0/user-guide.html
knox/site/index.html
knox/site/issue-tracking.html
knox/site/license.html
knox/site/mail-lists.html
knox/site/project-info.html
knox/site/team-list.html
knox/trunk/books/0.9.0/config_advanced_ldap.md
Modified: knox/site/books/knox-0-9-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/user-guide.html?rev=1735445&r1=1735444&r2=1735445&view=diff
==============================================================================
--- knox/site/books/knox-0-9-0/user-guide.html (original)
+++ knox/site/books/knox-0-9-0/user-guide.html Thu Mar 17 15:41:03 2016
@@ -1044,7 +1044,87 @@ ldapRealm.userDnTemplate=uid={0},ou=peop
<pre><code>(&(email=bill.clinton@gmail.com)(objectclass=person))
</code></pre><p>This could find bind DN to be</p>
<pre><code>uid=billc,ou=contractors,dc=hadoop,dc=apache,dc=org
-</code></pre><h4><a id="Example+provider+configuration+to+use+advanced+LDAP+authentication">Example provider configuration to use advanced LDAP authentication</a> <a href="#Example+provider+configuration+to+use+advanced+LDAP+authentication"><img src="markbook-section-link.png"/></a></h4><p>The example configuration appears verbose due to the presence of liberal comments and illustration of optional parameters and default values. The configuration that you would use could be much shorter if you rely on default values.</p>
+</code></pre><h4><a id="Advanced+LDAP+configuration+parameters">Advanced LDAP configuration parameters</a> <a href="#Advanced+LDAP+configuration+parameters"><img src="markbook-section-link.png"/></a></h4><p>The table below provides a brief description and sample of the available advanced bind and search configuration parameters.</p>
+<table>
+ <thead>
+ <tr>
+ <th>Parameter </th>
+ <th>Description </th>
+ <th>Default </th>
+ <th>Sample </th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>principalRegex </td>
+ <td>Parses the principal for insertion into templates via regex. </td>
+ <td>(.*) </td>
+ <td>(.*?)\\(.*) <em>(e.g. match US\tom: {0}=US\tom, {1}=US, {2}=tom)</em> </td>
+ </tr>
+ <tr>
+ <td>userDnTemplate </td>
+ <td>Direct user bind DN template. </td>
+ <td>{0} </td>
+ <td>cn={2},dc={1},dc=qa,dc=company,dc=com </td>
+ </tr>
+ <tr>
+ <td>userSearchBase </td>
+ <td>Search based template. Used with config below. </td>
+ <td>none </td>
+ <td>dc={1},dc=qa,dc=company,dc=com </td>
+ </tr>
+ <tr>
+ <td>userSearchAttributeName </td>
+ <td>Attribute name for simplified search filter. </td>
+ <td>none </td>
+ <td>sAMAccountName </td>
+ </tr>
+ <tr>
+ <td>userSearchAttributeTemplate </td>
+ <td>Attribute template for simplified search filter. </td>
+ <td>{0} </td>
+ <td>{2} </td>
+ </tr>
+ <tr>
+ <td>userSearchFilter </td>
+ <td>Advanced search filter template. Note & is &amp; in XML. </td>
+ <td>none </td>
+ <td>(&amp;(objectclass=person)(sAMAccountName={2})) </td>
+ </tr>
+ <tr>
+ <td>userSearchScope </td>
+ <td>Search scope: subtree, onelevel, object. </td>
+ <td>subtree </td>
+ <td>onelevel </td>
+ </tr>
+ </tbody>
+</table><h4><a id="Advanced+LDAP+configuration+combinations">Advanced LDAP configuration combinations</a> <a href="#Advanced+LDAP+configuration+combinations"><img src="markbook-section-link.png"/></a></h4><p>There are also only certain valid combinations of advanced LDAP configuration parameters.</p>
+<ul>
+ <li>User DN Template
+ <ul>
+ <li>userDnTemplate (Required)</li>
+ <li>principalRegex (Optional)</li>
+ </ul></li>
+ <li>User Search by Attribute
+ <ul>
+ <li>userSearchBase (Required)</li>
+ <li>userAttributeName (Required)</li>
+ <li>userAttributeTemplate (Optional)</li>
+ <li>userSearchScope (Optional)</li>
+ <li>principalRegex (Optional)</li>
+ </ul></li>
+ <li>User Search by Filter
+ <ul>
+ <li>userSearchBase (Required)</li>
+ <li>userSearchFilter (Required)</li>
+ <li>userSearchScope (Optional)</li>
+ <li>principalRegex (Optional)</li>
+ </ul></li>
+</ul><h4><a id="Advanced+LDAP+configuration+precedence">Advanced LDAP configuration precedence</a> <a href="#Advanced+LDAP+configuration+precedence"><img src="markbook-section-link.png"/></a></h4><p>The presence of multiple configuration combinations should be avoided. The rules below clarify which combinations take precedence when present.</p>
+<ol>
+ <li>userSearchBase takes precedence over userDnTemplate</li>
+ <li>userSearchFilter takes precedence over userSearchAttributeName</li>
+</ol><h4><a id="Example+provider+configuration+to+use+advanced+LDAP+authentication">Example provider configuration to use advanced LDAP authentication</a> <a href="#Example+provider+configuration+to+use+advanced+LDAP+authentication"><img src="markbook-section-link.png"/></a></h4><p>The example configuration appears verbose due to the presence of liberal comments and illustration of optional parameters and default values. The configuration that you would use could be much shorter if you rely on default values.</p>
<pre><code><provider>
<role>authentication</role>
Modified: knox/site/index.html
URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1735445&r1=1735444&r2=1735445&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Thu Mar 17 15:41:03 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-03-01
+ | Generated by Apache Maven Doxia at 2016-03-17
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160301" />
+ <meta name="Date-Revision-yyyymmdd" content="20160317" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – REST API Gateway for the Hadoop Ecosystem</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2016-03-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2016-03-17</li>
</ul>
</div>
Modified: knox/site/issue-tracking.html
URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1735445&r1=1735444&r2=1735445&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Thu Mar 17 15:41:03 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-03-01
+ | Generated by Apache Maven Doxia at 2016-03-17
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160301" />
+ <meta name="Date-Revision-yyyymmdd" content="20160317" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Issue Tracking</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2016-03-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2016-03-17</li>
</ul>
</div>
Modified: knox/site/license.html
URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1735445&r1=1735444&r2=1735445&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Thu Mar 17 15:41:03 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-03-01
+ | Generated by Apache Maven Doxia at 2016-03-17
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160301" />
+ <meta name="Date-Revision-yyyymmdd" content="20160317" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project License</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2016-03-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2016-03-17</li>
</ul>
</div>
Modified: knox/site/mail-lists.html
URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1735445&r1=1735444&r2=1735445&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Thu Mar 17 15:41:03 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-03-01
+ | Generated by Apache Maven Doxia at 2016-03-17
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160301" />
+ <meta name="Date-Revision-yyyymmdd" content="20160317" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Mailing Lists</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2016-03-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2016-03-17</li>
</ul>
</div>
Modified: knox/site/project-info.html
URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1735445&r1=1735444&r2=1735445&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Thu Mar 17 15:41:03 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-03-01
+ | Generated by Apache Maven Doxia at 2016-03-17
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160301" />
+ <meta name="Date-Revision-yyyymmdd" content="20160317" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Information</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2016-03-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2016-03-17</li>
</ul>
</div>
Modified: knox/site/team-list.html
URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1735445&r1=1735444&r2=1735445&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Thu Mar 17 15:41:03 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-03-01
+ | Generated by Apache Maven Doxia at 2016-03-17
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160301" />
+ <meta name="Date-Revision-yyyymmdd" content="20160317" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Team list</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2016-03-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2016-03-17</li>
</ul>
</div>
Modified: knox/trunk/books/0.9.0/config_advanced_ldap.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.9.0/config_advanced_ldap.md?rev=1735445&r1=1735444&r2=1735445&view=diff
==============================================================================
--- knox/trunk/books/0.9.0/config_advanced_ldap.md (original)
+++ knox/trunk/books/0.9.0/config_advanced_ldap.md Thu Mar 17 15:41:03 2016
@@ -58,6 +58,44 @@ This could find bind DN to be
uid=billc,ou=contractors,dc=hadoop,dc=apache,dc=org
+#### Advanced LDAP configuration parameters
+The table below provides a brief description and sample of the available advanced bind and search configuration parameters.
+
+| Parameter | Description | Default | Sample |
+|-----------------------------|----------------------------------------------------------------|---------|--------------------------------------------------------------------|
+| principalRegex | Parses the principal for insertion into templates via regex. | (.*) | (.\*?)\\\\(.\*) _(e.g. match US\tom: {0}=US\tom, {1}=US, {2}=tom)_ |
+| userDnTemplate | Direct user bind DN template. | {0} | cn={2},dc={1},dc=qa,dc=company,dc=com |
+| userSearchBase | Search based template. Used with config below. | none | dc={1},dc=qa,dc=company,dc=com |
+| userSearchAttributeName | Attribute name for simplified search filter. | none | sAMAccountName |
+| userSearchAttributeTemplate | Attribute template for simplified search filter. | {0} | {2} |
+| userSearchFilter | Advanced search filter template. Note \& is \& in XML. | none | (\&(objectclass=person)(sAMAccountName={2})) |
+| userSearchScope | Search scope: subtree, onelevel, object. | subtree | onelevel |
+
+#### Advanced LDAP configuration combinations
+There are also only certain valid combinations of advanced LDAP configuration parameters.
+
+* User DN Template
+ * userDnTemplate (Required)
+ * principalRegex (Optional)
+* User Search by Attribute
+ * userSearchBase (Required)
+ * userAttributeName (Required)
+ * userAttributeTemplate (Optional)
+ * userSearchScope (Optional)
+ * principalRegex (Optional)
+* User Search by Filter
+ * userSearchBase (Required)
+ * userSearchFilter (Required)
+ * userSearchScope (Optional)
+ * principalRegex (Optional)
+
+#### Advanced LDAP configuration precedence
+The presence of multiple configuration combinations should be avoided.
+The rules below clarify which combinations take precedence when present.
+
+1. userSearchBase takes precedence over userDnTemplate
+2. userSearchFilter takes precedence over userSearchAttributeName
+
#### Example provider configuration to use advanced LDAP authentication
The example configuration appears verbose due to the presence of liberal comments