You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Arpan Rajani (JIRA)" <ji...@apache.org> on 2016/08/16 10:15:20 UTC

[jira] [Updated] (KNOX-735) Knox doesn't work with ldaps protocol

     [ https://issues.apache.org/jira/browse/KNOX-735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Arpan Rajani updated KNOX-735:
------------------------------
    Description: 
When in the topology we place ssl authcBasic or authcBasic along with the 
context factory using ldaps protocol we are unable to get Knox working. 
When we try using Knox with curl Knox generates HTTP Error 503. 
{code}
curl -i -k -u ad_user:P@ssword 'https://<Knox_SERVER_Hostname>:<KNOX_PORT>/gateway/default/templeton/v1/status'
{code}

Corresponding logs from Knox gateway are :

{code}
2016-08-15 17:12:41,971 DEBUG ldap.JndiLdapRealm (JndiLdapRealm.java:queryForAuthenticationInfo(369)) - Authenticating user 'ad_user' through LDAP
2016-08-15 17:12:41,972 DEBUG ldap.JndiLdapContextFactory (JndiLdapContextFactory.java:getLdapContext(488)) - Initializing LDAP context using URL [ldaps://ldapURL:636] and principal [CN=CN_NAME,OU=Admin ,OU=MyUnit,DC=MyCompany,DC=local] with pooling enabled
2016-08-15 17:12:41,980 DEBUG servlet.SimpleCookie (SimpleCookie.java:addCookieHeader(226)) - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Sun, 14-Aug-2016 17:12:41 GMT]
2016-08-15 17:12:41,980 DEBUG authc.BasicHttpAuthenticationFilter (BasicHttpAuthenticationFilter.java:sendChallenge(274)) - Authentication required: sending 401 Authentication challenge response.
2016-08-15 17:12:41,980 DEBUG server.Server (Server.java:handle(367)) - RESPONSE /gateway/default/templeton/v1/status  401 handled=true
{code}

The configuration we are using for Knox topology related to authencation are following 
{code}
  <param>
            <name>urls./**</name>
            <value>ssl authcBasic</value>
           <!-- Also tried with authcBasic -->
           <!-- change this to authBasic with ldap and port to 389 it works-->
         </param>

         <param>
            <name>main.ldapRealm.contextFactory.url</name>
            <value>ldaps://ldapURL:636</value>
            <!-- Switch this URL to use ldap and change port to 389 it works -->
         </param>
{code}

I see this as a threat to IT systems which need to adhere certain  compliance. 

  was:
When in the topology we place ssl authcBasic or authcBasic along with the 
context factory using ldaps protocol we are unable to get Knox working. 
When we try using Knox with curl Knox generates HTTP Error 503. 
{code}
curl -i -k -u ad_user:P@ssword 'https://<Knox_SERVER_Hostname>:<KNOX_PORT>/gateway/default/templeton/v1/status'
{code}

Corresponding logs from Knox gateway are :

{code}
2016-08-15 17:12:41,971 DEBUG ldap.JndiLdapRealm (JndiLdapRealm.java:queryForAuthenticationInfo(369)) - Authenticating user 'ad_user' through LDAP
2016-08-15 17:12:41,972 DEBUG ldap.JndiLdapContextFactory (JndiLdapContextFactory.java:getLdapContext(488)) - Initializing LDAP context using URL [ldaps://ldapURL:636] and principal [CN=CN_NAME,OU=Admin ,OU=MyUnit,DC=MyCompany,DC=local] with pooling enabled
2016-08-15 17:12:41,980 DEBUG servlet.SimpleCookie (SimpleCookie.java:addCookieHeader(226)) - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Sun, 14-Aug-2016 17:12:41 GMT]
2016-08-15 17:12:41,980 DEBUG authc.BasicHttpAuthenticationFilter (BasicHttpAuthenticationFilter.java:sendChallenge(274)) - Authentication required: sending 401 Authentication challenge response.
2016-08-15 17:12:41,980 DEBUG server.Server (Server.java:handle(367)) - RESPONSE /gateway/default/templeton/v1/status  401 handled=true
{code}

The configuration we are using for Knox topology related to authencation are following 
{code}
  <param>
            <name>urls./**</name>
            <value>ssl authcBasic</value>
           <!-- Also tried with authcBasic -->
           <!-- change this to authBasic with ldap and port to 389 it works-->
         </param>

         <param>
            <name>main.ldapRealm.contextFactory.url</name>
            <value>ldaps://ldapURL636</value>
            <!-- Switch this URL to use ldap and change port to 389 it works -->
         </param>
{code}

I see this as a threat to IT systems which need to adhere certain  compliance. 


> Knox doesn't work with ldaps protocol
> -------------------------------------
>
>                 Key: KNOX-735
>                 URL: https://issues.apache.org/jira/browse/KNOX-735
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: ClientDSL, Site
>    Affects Versions: 0.6.0
>         Environment: RHEL : Oracle Linux Server release 6.7
> Curl Version : 7.19.7
> openjdk version "1.8.0_71"
> OpenJDK Runtime Environment (build 1.8.0_71-b15)
>            Reporter: Arpan Rajani
>              Labels: security
>
> When in the topology we place ssl authcBasic or authcBasic along with the 
> context factory using ldaps protocol we are unable to get Knox working. 
> When we try using Knox with curl Knox generates HTTP Error 503. 
> {code}
> curl -i -k -u ad_user:P@ssword 'https://<Knox_SERVER_Hostname>:<KNOX_PORT>/gateway/default/templeton/v1/status'
> {code}
> Corresponding logs from Knox gateway are :
> {code}
> 2016-08-15 17:12:41,971 DEBUG ldap.JndiLdapRealm (JndiLdapRealm.java:queryForAuthenticationInfo(369)) - Authenticating user 'ad_user' through LDAP
> 2016-08-15 17:12:41,972 DEBUG ldap.JndiLdapContextFactory (JndiLdapContextFactory.java:getLdapContext(488)) - Initializing LDAP context using URL [ldaps://ldapURL:636] and principal [CN=CN_NAME,OU=Admin ,OU=MyUnit,DC=MyCompany,DC=local] with pooling enabled
> 2016-08-15 17:12:41,980 DEBUG servlet.SimpleCookie (SimpleCookie.java:addCookieHeader(226)) - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Sun, 14-Aug-2016 17:12:41 GMT]
> 2016-08-15 17:12:41,980 DEBUG authc.BasicHttpAuthenticationFilter (BasicHttpAuthenticationFilter.java:sendChallenge(274)) - Authentication required: sending 401 Authentication challenge response.
> 2016-08-15 17:12:41,980 DEBUG server.Server (Server.java:handle(367)) - RESPONSE /gateway/default/templeton/v1/status  401 handled=true
> {code}
> The configuration we are using for Knox topology related to authencation are following 
> {code}
>   <param>
>             <name>urls./**</name>
>             <value>ssl authcBasic</value>
>            <!-- Also tried with authcBasic -->
>            <!-- change this to authBasic with ldap and port to 389 it works-->
>          </param>
>          <param>
>             <name>main.ldapRealm.contextFactory.url</name>
>             <value>ldaps://ldapURL:636</value>
>             <!-- Switch this URL to use ldap and change port to 389 it works -->
>          </param>
> {code}
> I see this as a threat to IT systems which need to adhere certain  compliance. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)