[
https://issues.apache.org/jira/browse/KNOX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Henning Kropp updated KNOX-537:
-------------------------------
Attachment: KNOX-537
[~lmccay], sorry for letting this slip also.
I took the patch from [~jeffreyr97] and made the following changes:
1. Adding an interactive test in {{KnoxPamRealmTest.java}} similar to what can
be found here
[InteractiveTester.java|https://github.com/kohsuke/libpam4j/blob/master/src/test/java/org/jvnet/libpam/InteractiveTester.java]
2. I removed the config files in {{gateway-release/home/conf/}} because for me
the main reason to use PAM is to stay out of the business to having to
configure your own authentication method, but to reuse what is configured on
the system under {{/etc/pam.d/}}.
3. The {{doGetAuthorizationInfo}} was changed to put the roles of a user
correctly into it's current session. Without this authorization is not working
correctly. It is implemented in the exact same way as in
{{KnoxLdapRealm.rolesFor}} method.
The here provided implementation has been tested on existing installations, but
I would feel a bit more comfortable, if there would be a test for the
{{doGetAuthorizationInfo}} method as well.
Let my know if I can help documenting this on the web page and how.
> Linux PAM Authentication Provider
> ---------------------------------
>
> Key: KNOX-537
> URL: https://issues.apache.org/jira/browse/KNOX-537
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.5.0, 0.6.0, 0.7.0
> Environment: All
> Reporter: Jeffrey E Rodriguez
> Assignee: Jeffrey E Rodriguez
> Labels: knox, pam
> Fix For: 0.10.0
>
> Attachments: 0001-knox-537-add-pam-authentication-support.patch,
> KNOX-537.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> OS level PAM security provides great interface for authentication and
> authorization. For example, sssd provides support for manage Active
> Directory nested OU by adjusting ldap_group_nesting_level = 5. Knox
> configuration is configured to interact with LDAP directly, but this has two
> short cominges. First, hgh volume traffic is likely to make too many
> queries to AD without cache. Second, complex logic of LDAP queries can not
> map correctly to UserDnTemplate without adding more ldap specific logic into
> JndiLdapRealm code and parameters.
> Knox can be improved to use PAM to out source complex OS to AD interaction to
> sssd. It is possible to implement a shiro PAM plugin to reduce the complex
> LDAP logic that is starting to accumulate in Knox.
> Looks like there is a least a start for this here.
> https://github.com/plaflamme/shiro-libpam4j
> libpam4j is available via Maven and uses an MIT license
> http://mvnrepository.com/artifact/org.jvnet.libpam4j/libpam4j/1.4
> This might be a great addition to Knox.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
