You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2016/06/14 17:02:40 UTC

[jira] [Commented] (KNOX-537) Linux PAM Authentication Provider

    [ https://issues.apache.org/jira/browse/KNOX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15329899#comment-15329899 ] 

Larry McCay commented on KNOX-537:
----------------------------------

[~hkropp] - I'm sorry for having let this drop off my radar.
I have been concentrating on the 0.9.1 release JIRAs.

I'm curious what the current state of this is exactly.
If this can be shown to work with reasonable docs and tests then we can get it in for 0.10.0.

It seems that you were required to use a workaround for user roles/groups in order to get it to work.
Where exactly did you put that code?


> Linux PAM Authentication Provider
> ---------------------------------
>
>                 Key: KNOX-537
>                 URL: https://issues.apache.org/jira/browse/KNOX-537
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.5.0, 0.6.0, 0.7.0
>         Environment: All
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Jeffrey E  Rodriguez
>              Labels: knox, pam
>             Fix For: Future
>
>         Attachments: 0001-knox-537-add-pam-authentication-support.patch
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> OS level PAM security provides great interface for authentication and authorization.  For example, sssd provides support for manage Active Directory nested OU by adjusting ldap_group_nesting_level = 5.  Knox configuration is configured to interact with LDAP directly, but this has two short cominges.   First, hgh volume traffic is likely to make too many queries to AD without cache.  Second, complex logic of LDAP queries can not map correctly to UserDnTemplate without adding more ldap specific logic into JndiLdapRealm code and parameters.
> Knox can be improved to use PAM to out source complex OS to AD interaction to sssd.  It is possible to implement a shiro PAM plugin to reduce the complex LDAP logic that is starting to accumulate in Knox.
> Looks like there is a least a start for this here.
> https://github.com/plaflamme/shiro-libpam4j
> libpam4j is available via Maven and uses an MIT license 
> http://mvnrepository.com/artifact/org.jvnet.libpam4j/libpam4j/1.4
> This might be a great addition to Knox.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)