It seems that we all agree that PAM support for Knox. is very valuable to have. Just created the JIRA: https://issues.apache.org/jira/browse/KNOX-568
Jeff, Please upload the design and patch for the Knox community to review. Please make sure to add unit test. Regards, Tanping On Tue, Jul 14, 2015 at 10:13 PM, Tanping Wang <[email protected]> wrote: > Hi, Kevin, > The PAM module implementation request was customer driven. We had > customer requests on using LDAP with nest OU. We also had requests from > the field that they do not want to Knox authentication to work against > LDAP. One of the reasons being that the SSL cert generated by Knox is > self-signed and we are having issues, for example, with the weak DH cipher > key problems starting on Firefox. So our thought was that if this is just > for demo purpose anyway, we could just use the base OS to authenticate once > PAM module is supported. With the PAM module implementation, we can have > both: > 1) LDAP nested OU support > 2) Simple authentication based on base Unix. > > Kevin, to answer your question: I think we are good for now without set > up credentials directly on the topology files for demo purpose. Would like > to hear your opinions too. > > Regards, > Tanping > > On Tue, Jul 14, 2015 at 12:25 PM, Kevin Minder < > [email protected]> wrote: > >> Hi, >> >> We would be very interested in a PAM module for Knox. Did some quick >> searching and found this: https://github.com/plaflamme/shiro-libpam4j >> >> We have done some experimentation with very simple demo setups with >> credentials directly in topology files but decided against promoting it. >> If this were something you were interested in I could re-figure this out. >> >> We've also been looking into buji-pac4j for several other authentication >> models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that >> they aren’t really targeting at active profile REST API use as far as we >> have been able to determine. >> >> Kevin. >> >> >> >> On 7/14/15, 3:09 PM, "Tanping Wang" <[email protected]> wrote: >> >> >Hi, folks, >> >Today Knox can not work without LDAP. For demo purpose that we would >> like >> >to demonstrate that Knox can work with simple authentication, for >> example, >> >base Unix OS authentication. I believe this is not possible today? >> Please >> >correct me if I am wrong. We are working on adding a PAM module to >> Knox's >> >shiro framework, so that Knox can >> >1) authenticate against base Unix OS -- for demo purpose only >> >2) more importantly, nested OU would work for LDAP. >> > >> >Regards, >> >Tanping >> > >
