[jira] [Commented] (KNOX-537) Linux PAM Authentication Provider

Thu, 14 Apr 2016 05:20:53 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15241036#comment-15241036
 ] 

Larry McCay commented on KNOX-537:
----------------------------------

Hi [~hkropp] - that's great news!
I think that your request for logging the roles is more than reasonable.

Would you happen to be in the position to document or describe what 
configuration needs to be done outside of the topology?
Is there pam specific config that is needed?

I've been trying to figure out how to go about testing this myself for quite a 
while and without even a context to start from it keeps falling away in terms 
of priority. I keep meaning to try and spin up a VM with a proper environment 
to try it.

If we can get this patch properly documented and some unit tests in place then 
a follow up to add the roles logging could be easily done.

v0.9.0 is about ready to be released but we may be able to focus on PAM and 
related usecases in a follow up 0.9.1.

> Linux PAM Authentication Provider
> ---------------------------------
>
>                 Key: KNOX-537
>                 URL: https://issues.apache.org/jira/browse/KNOX-537
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.5.0, 0.6.0, 0.7.0
>         Environment: All
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Jeffrey E  Rodriguez
>              Labels: knox, pam
>             Fix For: Future
>
>         Attachments: 0001-knox-537-add-pam-authentication-support.patch
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> OS level PAM security provides great interface for authentication and 
> authorization.  For example, sssd provides support for manage Active 
> Directory nested OU by adjusting ldap_group_nesting_level = 5.  Knox 
> configuration is configured to interact with LDAP directly, but this has two 
> short cominges.   First, hgh volume traffic is likely to make too many 
> queries to AD without cache.  Second, complex logic of LDAP queries can not 
> map correctly to UserDnTemplate without adding more ldap specific logic into 
> JndiLdapRealm code and parameters.
> Knox can be improved to use PAM to out source complex OS to AD interaction to 
> sssd.  It is possible to implement a shiro PAM plugin to reduce the complex 
> LDAP logic that is starting to accumulate in Knox.
> Looks like there is a least a start for this here.
> https://github.com/plaflamme/shiro-libpam4j
> libpam4j is available via Maven and uses an MIT license 
> http://mvnrepository.com/artifact/org.jvnet.libpam4j/libpam4j/1.4
> This might be a great addition to Knox.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to