[jira] [Updated] (KNOX-735) Knox doesn't work with ldaps protocol

Tue, 16 Aug 2016 03:17:53 -0700 

     [ 
https://issues.apache.org/jira/browse/KNOX-735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Arpan Rajani updated KNOX-735:
------------------------------
    Description: 
When in the topology we place ssl authcBasic or authcBasic along with the 
context factory using ldaps protocol we are unable to get Knox working. 
When we try using Knox with curl Knox generates HTTP Error 503. 
{code}
curl -i -k -u ad_user:P@ssword 
'https://<Knox_SERVER_Hostname>:<KNOX_PORT>/gateway/default/templeton/v1/status'
{code}

Corresponding logs from Knox gateway are :

{code}
2016-08-15 17:12:41,971 DEBUG ldap.JndiLdapRealm 
(JndiLdapRealm.java:queryForAuthenticationInfo(369)) - Authenticating user 
'ad_user' through LDAP
2016-08-15 17:12:41,972 DEBUG ldap.JndiLdapContextFactory 
(JndiLdapContextFactory.java:getLdapContext(488)) - Initializing LDAP context 
using URL [ldaps://ldapURL:636] and principal [CN=CN_NAME,OU=Admin 
,OU=MyUnit,DC=MyCompany,DC=local] with pooling enabled
2016-08-15 17:12:41,980 DEBUG servlet.SimpleCookie 
(SimpleCookie.java:addCookieHeader(226)) - Added HttpServletResponse Cookie 
[rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Sun, 
14-Aug-2016 17:12:41 GMT]
2016-08-15 17:12:41,980 DEBUG authc.BasicHttpAuthenticationFilter 
(BasicHttpAuthenticationFilter.java:sendChallenge(274)) - Authentication 
required: sending 401 Authentication challenge response.
2016-08-15 17:12:41,980 DEBUG server.Server (Server.java:handle(367)) - 
RESPONSE /gateway/default/templeton/v1/status  401 handled=true
{code}

The configuration we are using for Knox topology related to authencation are 
following 
{code}
  <param>
            <name>urls./**</name>
            <value>ssl authcBasic</value>
           <!-- Also tried with authcBasic -->
           <!-- change this to authBasic with ldap and port to 389 it works-->
         </param>

         <param>
            <name>main.ldapRealm.contextFactory.url</name>
            <value>ldaps://ldapURL:636</value>
            <!-- Switch this URL to use ldap and change port to 389 it works -->
         </param>
{code}

- I see this as a threat to IT systems which need to adhere certain  
compliance. 
- Along with this it would be great if the log could explicitly mention what is 
the issue, currently it doesn't provide any useful info which pin points to 
ldaps changing to ldap.

  was:
When in the topology we place ssl authcBasic or authcBasic along with the 
context factory using ldaps protocol we are unable to get Knox working. 
When we try using Knox with curl Knox generates HTTP Error 503. 
{code}
curl -i -k -u ad_user:P@ssword 
'https://<Knox_SERVER_Hostname>:<KNOX_PORT>/gateway/default/templeton/v1/status'
{code}

Corresponding logs from Knox gateway are :

{code}
2016-08-15 17:12:41,971 DEBUG ldap.JndiLdapRealm 
(JndiLdapRealm.java:queryForAuthenticationInfo(369)) - Authenticating user 
'ad_user' through LDAP
2016-08-15 17:12:41,972 DEBUG ldap.JndiLdapContextFactory 
(JndiLdapContextFactory.java:getLdapContext(488)) - Initializing LDAP context 
using URL [ldaps://ldapURL:636] and principal [CN=CN_NAME,OU=Admin 
,OU=MyUnit,DC=MyCompany,DC=local] with pooling enabled
2016-08-15 17:12:41,980 DEBUG servlet.SimpleCookie 
(SimpleCookie.java:addCookieHeader(226)) - Added HttpServletResponse Cookie 
[rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Sun, 
14-Aug-2016 17:12:41 GMT]
2016-08-15 17:12:41,980 DEBUG authc.BasicHttpAuthenticationFilter 
(BasicHttpAuthenticationFilter.java:sendChallenge(274)) - Authentication 
required: sending 401 Authentication challenge response.
2016-08-15 17:12:41,980 DEBUG server.Server (Server.java:handle(367)) - 
RESPONSE /gateway/default/templeton/v1/status  401 handled=true
{code}

The configuration we are using for Knox topology related to authencation are 
following 
{code}
  <param>
            <name>urls./**</name>
            <value>ssl authcBasic</value>
           <!-- Also tried with authcBasic -->
           <!-- change this to authBasic with ldap and port to 389 it works-->
         </param>

         <param>
            <name>main.ldapRealm.contextFactory.url</name>
            <value>ldaps://ldapURL:636</value>
            <!-- Switch this URL to use ldap and change port to 389 it works -->
         </param>
{code}

I see this as a threat to IT systems which need to adhere certain  compliance. 


> Knox doesn't work with ldaps protocol
> -------------------------------------
>
>                 Key: KNOX-735
>                 URL: https://issues.apache.org/jira/browse/KNOX-735
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: ClientDSL, Site
>    Affects Versions: 0.6.0
>         Environment: RHEL : Oracle Linux Server release 6.7
> Curl Version : 7.19.7
> openjdk version "1.8.0_71"
> OpenJDK Runtime Environment (build 1.8.0_71-b15)
>            Reporter: Arpan Rajani
>              Labels: security
>
> When in the topology we place ssl authcBasic or authcBasic along with the 
> context factory using ldaps protocol we are unable to get Knox working. 
> When we try using Knox with curl Knox generates HTTP Error 503. 
> {code}
> curl -i -k -u ad_user:P@ssword 
> 'https://<Knox_SERVER_Hostname>:<KNOX_PORT>/gateway/default/templeton/v1/status'
> {code}
> Corresponding logs from Knox gateway are :
> {code}
> 2016-08-15 17:12:41,971 DEBUG ldap.JndiLdapRealm 
> (JndiLdapRealm.java:queryForAuthenticationInfo(369)) - Authenticating user 
> 'ad_user' through LDAP
> 2016-08-15 17:12:41,972 DEBUG ldap.JndiLdapContextFactory 
> (JndiLdapContextFactory.java:getLdapContext(488)) - Initializing LDAP context 
> using URL [ldaps://ldapURL:636] and principal [CN=CN_NAME,OU=Admin 
> ,OU=MyUnit,DC=MyCompany,DC=local] with pooling enabled
> 2016-08-15 17:12:41,980 DEBUG servlet.SimpleCookie 
> (SimpleCookie.java:addCookieHeader(226)) - Added HttpServletResponse Cookie 
> [rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Sun, 
> 14-Aug-2016 17:12:41 GMT]
> 2016-08-15 17:12:41,980 DEBUG authc.BasicHttpAuthenticationFilter 
> (BasicHttpAuthenticationFilter.java:sendChallenge(274)) - Authentication 
> required: sending 401 Authentication challenge response.
> 2016-08-15 17:12:41,980 DEBUG server.Server (Server.java:handle(367)) - 
> RESPONSE /gateway/default/templeton/v1/status  401 handled=true
> {code}
> The configuration we are using for Knox topology related to authencation are 
> following 
> {code}
>   <param>
>             <name>urls./**</name>
>             <value>ssl authcBasic</value>
>            <!-- Also tried with authcBasic -->
>            <!-- change this to authBasic with ldap and port to 389 it works-->
>          </param>
>          <param>
>             <name>main.ldapRealm.contextFactory.url</name>
>             <value>ldaps://ldapURL:636</value>
>             <!-- Switch this URL to use ldap and change port to 389 it works 
> -->
>          </param>
> {code}
> - I see this as a threat to IT systems which need to adhere certain  
> compliance. 
> - Along with this it would be great if the log could explicitly mention what 
> is the issue, currently it doesn't provide any useful info which pin points 
> to ldaps changing to ldap.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to