Hi, Kevin, The PAM module implementation request was customer driven. We had customer requests on using LDAP with nest OU. We also had requests from the field that they do not want to Knox authentication to work against LDAP. One of the reasons being that the SSL cert generated by Knox is self-signed and we are having issues, for example, with the weak DH cipher key problems starting on Firefox. So our thought was that if this is just for demo purpose anyway, we could just use the base OS to authenticate once PAM module is supported. With the PAM module implementation, we can have both: 1) LDAP nested OU support 2) Simple authentication based on base Unix.
Kevin, to answer your question: I think we are good for now without set up credentials directly on the topology files for demo purpose. Would like to hear your opinions too. Regards, Tanping On Tue, Jul 14, 2015 at 12:25 PM, Kevin Minder <[email protected] > wrote: > Hi, > > We would be very interested in a PAM module for Knox. Did some quick > searching and found this: https://github.com/plaflamme/shiro-libpam4j > > We have done some experimentation with very simple demo setups with > credentials directly in topology files but decided against promoting it. > If this were something you were interested in I could re-figure this out. > > We've also been looking into buji-pac4j for several other authentication > models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that > they aren’t really targeting at active profile REST API use as far as we > have been able to determine. > > Kevin. > > > > On 7/14/15, 3:09 PM, "Tanping Wang" <[email protected]> wrote: > > >Hi, folks, > >Today Knox can not work without LDAP. For demo purpose that we would like > >to demonstrate that Knox can work with simple authentication, for example, > >base Unix OS authentication. I believe this is not possible today? > Please > >correct me if I am wrong. We are working on adding a PAM module to Knox's > >shiro framework, so that Knox can > >1) authenticate against base Unix OS -- for demo purpose only > >2) more importantly, nested OU would work for LDAP. > > > >Regards, > >Tanping >
