[
https://issues.apache.org/jira/browse/KNOX-242?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on KNOX-242 started by Dilli Arumugam.
> knox needs to support basedn, search attribute based LDAP authentication
> -------------------------------------------------------------------------
>
> Key: KNOX-242
> URL: https://issues.apache.org/jira/browse/KNOX-242
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Dilli Arumugam
> Assignee: Dilli Arumugam
>
> To set the context, here is the authentication provider specification in a
> Knox topology file:
> <provider>
> <role>authentication</role>
> <enabled>true</enabled>
> <name>ShiroProvider</name>
> <param>
> <name>main.ldapRealm</name>
> <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
> </param>
> <param>
> <name>main.ldapRealm.userDnTemplate</name>
> <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory.url</name>
> <value>ldap://localhost:33389</value>
> </param>
> <param>
>
> <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
> <value>simple</value>
> </param>
> <param>
> <name>urls./**</name>
> <value>authcBasic</value>
> </param>
> </provider>
> This allows configurable userDnTemplate to infer the bindDN based on the
> authenticating user name.
> However, in enterprise use cases, it is not always possible to infer bindDN
> based on authenticating username using a template like this.
> We have to do a search in the directory based on the userName mapped to a
> configurable attribute name to find the userDN. This means, we should add
> at least one additional configuration parameter such as
> userSearchTemplate.
> An example value for userSearchTemplate
> (&(uid={0})(objectclass=inetorgperson))
> BaseDN for search can be specified as part of
> contextFactory.url
--
This message was sent by Atlassian JIRA
(v6.2#6252)
