[
https://issues.apache.org/jira/browse/KNOX-694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15199495#comment-15199495
]
Kevin Minder commented on KNOX-694:
-----------------------------------
Order of config is not important other than getting the regex groups and the
template params to match up at request time. What does matter is precedence if
more than one "style" of config is present. For example userSearchFilter will
override userSearchAttributeName/userSearchAttributeTemplate if present. This
needs to be clearly documented somehow and we already have doc issues in this
area. As you say this is on the complex side but I believe this will only be
used in complex situations.
> Enhance LDAP user search configurability
> ----------------------------------------
>
> Key: KNOX-694
> URL: https://issues.apache.org/jira/browse/KNOX-694
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.8.0
> Reporter: Kevin Minder
> Assignee: Kevin Minder
> Fix For: Future
>
> Attachments: KNOX-694_001.patch
>
>
> In very complex organizations the current configuration supported by
> KnoxLdapRealm my not be sufficient. Ideally it would be possible to:
> 1. Configure the LDAP search filter directly
> 2. Configure the LDAP search scope
> 3. Have portions of the search base and filter be derived from the input
> principal.
> To clarify this, I'm thinking of provider configurations like these
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userDnTemplate"
> value="CN={2},CN={1},DC=qa,DC=company,DC=com"/>
> {code}
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userSearchBase"
> value="CN={1},DC=qa,DC=company,DC=com"/>
> <param name="main.ldapRealm.userSearchAttributeName" value="sAMAccountName"/>
> <param name="main.ldapRealm.userSearchAttributeTemplate" value="{2}"/>
> {code}
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userSearchBase"
> value="CN={1},DC=qe,DC=company,DC=com"/>
> <param name="main.ldapRealm.userSearchFilter"
> value="(&(objectclass=person)(sAMAccountName={2}))"/>
> {code}
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userSearchBase"
> value="CN={1},DC=qe,DC=company,DC=com"/>
> <param name="main.ldapRealm.userSearchFilter"
> value="(&(objectclass=person)(sAMAccountName={2}))"/>
> <param name="main.ldapRealm.userSearchScope" value="onelevel"/>
> {code}
> {code}
> <param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/>
> <param name="main.ldapRealm.userSearchBase"
> value="CN={2},CN={1},DC=qa,DC=company,DC=com"/>
> <param name="main.ldapRealm.userSearchScope" value="object"/>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
