You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Kevin Minder (JIRA)" <ji...@apache.org> on 2016/03/16 21:53:33 UTC

[jira] [Updated] (KNOX-694) Enhance LDAP user search configurability

     [ https://issues.apache.org/jira/browse/KNOX-694?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Minder updated KNOX-694:
------------------------------
    Description: 
In very complex organizations the current configuration supported by KnoxLdapRealm my not be sufficient.  Ideally it would be possible to:
1. Configure the LDAP search filter directly
2. Configure the LDAP search scope
3. Have portions of the search base and filter be derived from the input principal.
To clarify this, I'm thinking of provider configurations like these

{code}
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
<param name="main.ldapRealm.userDnTemplate" value="CN={2},CN={1},DC=qa,DC=company,DC=com"/>
{code}

{code}
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
<param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qa,DC=company,DC=com"/>
<param name="main.ldapRealm.userSearchAttributeName" value="sAMAccountName"/>
<param name="main.ldapRealm.userSearchAttributeTemplate" value="{2}"/>
{code}

{code}
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
<param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qe,DC=company,DC=com"/>
<param name="main.ldapRealm.userSearchFilter" value="(&amp;(objectclass=person)(sAMAccountName={2}))"/>
{code}

{code}
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
<param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qe,DC=company,DC=com"/>
<param name="main.ldapRealm.userSearchFilter" value="(&amp;(objectclass=person)(sAMAccountName={2}))"/>
<param name="main.ldapRealm.userSearchScope" value="onelevel"/>
{code}

{code}
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
<param name="main.ldapRealm.userSearchBase" value="CN={2},CN={1},DC=qa,DC=company,DC=com"/>
<param name="main.ldapRealm.userSearchScope" value="object"/>
{code}


  was:
In very complex organizations the current configuration supported by KnoxLdapRealm my not be sufficient.  Ideally it would be possible to:
1. Configure the LDAP search filter directly
2. Configure the LDAP search scope
3. Have portions of the search base and filter be derived from the input principal.
To clarify this, I'm thinking of provider configurations like these
{code}
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
<param name="main.ldapRealm.userDnTemplate" value="CN={2},CN={1},DC=qa,DC=company,DC=com"/>
{code}

{code}
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
<param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qa,DC=company,DC=com"/>
<param name="main.ldapRealm.userSearchAttributeName" value="sAMAccountName"/>
<param name="main.ldapRealm.userSearchAttributeTemplate" value="{2}"/>
{code}

{code}
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
<param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qe,DC=company,DC=com"/>
<param name="main.ldapRealm.userSearchFilter" value="(&amp;(objectclass=person)(sAMAccountName={2}))"/>
{code}

{code}
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
<param name="main.ldapRealm.userSearchBase" value="CN={2},CN={1},DC=qa,DC=company,DC=com"/>
<param name="main.ldapRealm.userSearchScope" value="object"/>
{code}



> Enhance LDAP user search configurability
> ----------------------------------------
>
>                 Key: KNOX-694
>                 URL: https://issues.apache.org/jira/browse/KNOX-694
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.8.0
>            Reporter: Kevin Minder
>             Fix For: Future
>
>
> In very complex organizations the current configuration supported by KnoxLdapRealm my not be sufficient.  Ideally it would be possible to:
> 1. Configure the LDAP search filter directly
> 2. Configure the LDAP search scope
> 3. Have portions of the search base and filter be derived from the input principal.
> To clarify this, I'm thinking of provider configurations like these
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userDnTemplate" value="CN={2},CN={1},DC=qa,DC=company,DC=com"/>
> {code}
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qa,DC=company,DC=com"/>
> <param name="main.ldapRealm.userSearchAttributeName" value="sAMAccountName"/>
> <param name="main.ldapRealm.userSearchAttributeTemplate" value="{2}"/>
> {code}
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qe,DC=company,DC=com"/>
> <param name="main.ldapRealm.userSearchFilter" value="(&amp;(objectclass=person)(sAMAccountName={2}))"/>
> {code}
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qe,DC=company,DC=com"/>
> <param name="main.ldapRealm.userSearchFilter" value="(&amp;(objectclass=person)(sAMAccountName={2}))"/>
> <param name="main.ldapRealm.userSearchScope" value="onelevel"/>
> {code}
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userSearchBase" value="CN={2},CN={1},DC=qa,DC=company,DC=com"/>
> <param name="main.ldapRealm.userSearchScope" value="object"/>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)