You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Paul Codding (JIRA)" <ji...@apache.org> on 2014/02/21 22:49:20 UTC

[jira] [Commented] (KNOX-242) knox needs to support basedn, search attribute based LDAP authentication

    [ https://issues.apache.org/jira/browse/KNOX-242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13908855#comment-13908855 ] 

Paul Codding commented on KNOX-242:
-----------------------------------

+1

> knox needs to support basedn,  search attribute based LDAP authentication
> -------------------------------------------------------------------------
>
>                 Key: KNOX-242
>                 URL: https://issues.apache.org/jira/browse/KNOX-242
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Dilli Arumugam
>
> To set the context,  here is the authentication provider specification in a Knox topology file:
>  <provider>
>             <role>authentication</role>
>             <enabled>true</enabled>
>             <name>ShiroProvider</name>
>             <param>
>                 <name>main.ldapRealm</name>
>                 <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.userDnTemplate</name>
>                 <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.contextFactory.url</name>
>                 <value>ldap://localhost:33389</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
>                 <value>simple</value>
>             </param>
>             <param>
>                 <name>urls./**</name>
>                 <value>authcBasic</value>
>             </param>
>         </provider>
> This allows configurable userDnTemplate to infer the bindDN based on the  authenticating user name.
> However,  in enterprise use cases,  it is not always possible to infer bindDN based on authenticating username using a template like this.
> We have to do a search in the directory based on the userName mapped to a configurable attribute name to find the userDN.  This means,  we should add at least one additional configuration parameter such as 
> userSearchTemplate.
> An example value for userSearchTemplate
> (&(uid={0})(objectclass=inetorgperson))
> BaseDN for search can be specified as part of
> contextFactory.url



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)