Thanks Tanping, I am happy to see you also agree with that.
Regards,
Jeff
On Tue, Jul 14, 2015 at 10:22 PM, Tanping Wang <[email protected]> wrote:
> It seems that we all agree that PAM support for Knox. is very valuable to
> have. Just created the JIRA:
> https://issues.apache.org/jira/browse/KNOX-568
>
> Jeff,
> Please upload the design and patch for the Knox community to review.
> Please make sure to add unit test.
>
> Regards,
> Tanping
>
> On Tue, Jul 14, 2015 at 10:13 PM, Tanping Wang <[email protected]> wrote:
>
> > Hi, Kevin,
> > The PAM module implementation request was customer driven. We had
> > customer requests on using LDAP with nest OU. We also had requests from
> > the field that they do not want to Knox authentication to work against
> > LDAP. One of the reasons being that the SSL cert generated by Knox is
> > self-signed and we are having issues, for example, with the weak DH
> cipher
> > key problems starting on Firefox. So our thought was that if this is
> just
> > for demo purpose anyway, we could just use the base OS to authenticate
> once
> > PAM module is supported. With the PAM module implementation, we can have
> > both:
> > 1) LDAP nested OU support
> > 2) Simple authentication based on base Unix.
> >
> > Kevin, to answer your question: I think we are good for now without set
> > up credentials directly on the topology files for demo purpose. Would
> like
> > to hear your opinions too.
> >
> > Regards,
> > Tanping
> >
> > On Tue, Jul 14, 2015 at 12:25 PM, Kevin Minder <
> > [email protected]> wrote:
> >
> >> Hi,
> >>
> >> We would be very interested in a PAM module for Knox. Did some quick
> >> searching and found this: https://github.com/plaflamme/shiro-libpam4j
> >>
> >> We have done some experimentation with very simple demo setups with
> >> credentials directly in topology files but decided against promoting it.
> >> If this were something you were interested in I could re-figure this
> out.
> >>
> >> We've also been looking into buji-pac4j for several other authentication
> >> models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that
> >> they aren’t really targeting at active profile REST API use as far as we
> >> have been able to determine.
> >>
> >> Kevin.
> >>
> >>
> >>
> >> On 7/14/15, 3:09 PM, "Tanping Wang" <[email protected]> wrote:
> >>
> >> >Hi, folks,
> >> >Today Knox can not work without LDAP. For demo purpose that we would
> >> like
> >> >to demonstrate that Knox can work with simple authentication, for
> >> example,
> >> >base Unix OS authentication. I believe this is not possible today?
> >> Please
> >> >correct me if I am wrong. We are working on adding a PAM module to
> >> Knox's
> >> >shiro framework, so that Knox can
> >> >1) authenticate against base Unix OS -- for demo purpose only
> >> >2) more importantly, nested OU would work for LDAP.
> >> >
> >> >Regards,
> >> >Tanping
> >>
> >
> >
>
