You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Sergey Balan (JIRA)" <ji...@apache.org> on 2013/11/06 23:24:23 UTC

[jira] [Commented] (KNOX-40) Verify LDAP over SSL

    [ https://issues.apache.org/jira/browse/KNOX-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13815378#comment-13815378 ] 

Sergey Balan commented on KNOX-40:
----------------------------------

Status:
On my environment LDAPS over SSL works.

How to setup Knox over SSL:
1. Add LDAP server's certificate to the Knox CA (see attached LDAP_cert_to_catrust.cmd as example):
 keytool  -import -trustcacerts -alias CERT_ALIAS -file CERT_FILE_NAME -keystore gateway.jks -storepass YOUR_STORAGE_PASSWORD

2. In the sandbox.xml the following changes should be done (you can see example in the attachment):
- change "main.ldapRealm.contextFactory.url" parameter value as the following "ldap://HOST:PORT" where HOST - LDAP address and PORT - LDAP secure port
- add new "main.ldapRealm.contextFactory.environment[java.naming.security.protocol]" parameter with "ssl" value.

Known limitations:
1. If Knox and LDAP server run on the same host then ldap url should have the following format ldap://localhost:port. You can't use your host IP.
2. Be sure if your Apache DS contains the following fix: https://issues.apache.org/jira/browse/DIRSTUDIO-848

> Verify LDAP over SSL
> --------------------
>
>                 Key: KNOX-40
>                 URL: https://issues.apache.org/jira/browse/KNOX-40
>             Project: Apache Knox
>          Issue Type: Test
>          Components: Server
>    Affects Versions: 0.2.0
>            Reporter: Kevin Minder
>            Assignee: Sergey Balan
>             Fix For: 0.3.0
>
>         Attachments: LDAP_cert_to_catrust.cmd, sandbox.xml, users.ldif
>
>
> From BUG-4318
> Verify configuration where LDAP authentication occurs over SSL.  Currently in or 0.1.0 milestone we use ApacheDS to setup an LDAP endpoint.  We use this for authentication but to do that we need to propagate the password collected via a HTTP Basic Auth challenge.  Right now communication with LDAP (ie ApacheDS) is done over a non-secure transport.  For this task we need to figure out how to setup ApacheDS to use SSL and then ensure that the gateway can communicate with it over SSL.  The ApacheDS we are using can be found in the gateway-test-ldap module.  We are using Apache Shiro to perform the authentication.  This can be found in the gateway-provider-security-shiro.



--
This message was sent by Atlassian JIRA
(v6.1#6144)