You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Dilli Arumugam (JIRA)" <ji...@apache.org> on 2014/02/05 06:58:11 UTC
[jira] [Created] (KNOX-242) knox needs to support basedn, search
attribute based LDAP authentication
Dilli Arumugam created KNOX-242:
-----------------------------------
Summary: knox needs to support basedn, search attribute based LDAP authentication
Key: KNOX-242
URL: https://issues.apache.org/jira/browse/KNOX-242
Project: Apache Knox
Issue Type: Improvement
Components: Server
Reporter: Dilli Arumugam
To set the context, here is the authentication provider specification in a Knox topology file:
<provider>
<role>authentication</role>
<enabled>true</enabled>
<name>ShiroProvider</name>
<param>
<name>main.ldapRealm</name>
<value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://localhost:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
This allows configurable userDnTemplate to infer the bindDN based on the authenticating user name.
However, in enterprise use cases, it is not always possible to infer bindDN based on authenticating username using a template like this.
We have to do a search in the directory based on the userName mapped to a configurable attribute name to find the userDN. This means, we should add at least one additional configuration parameter such as
userSearchTemplate.
An example value for userSearchTemplate
(&(uid={0})(objectclass=inetorgperson))
BaseDN for search can be specified as part of
contextFactory.url
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)