[jira] [Commented] (KNOX-536) LDAP authentication against nested OU

Sat, 08 Oct 2016 09:48:55 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15558300#comment-15558300
 ] 

Eric Yang commented on KNOX-536:
--------------------------------

Larry, 

1) PAM module has been in Knox since Knox 0.6.0.  We are shipping Knox 0.7.0, 
there is no reason that master would be any different.  

2) We are using pam_sss because sssd provide ability to define multiple LDAP 
server sources to make the user namespace appear as a flat structure.

3) We use FreeIPA to sync with Active Directory to flatten OU.  This works with 
a couple limitations:

* User profiles created in AD replicate to IPA but not the other way (Password 
sync DOES occur in both directions)
* Groups do not replicate, nor does group membership
* Sync is performed between ONE IPA server and ONE AD server. IPA can still 
replicate to other 

IPA servers in multi-master mode, and AD can still replicate with other AD 
servers.
It is best to configure an OU within AD to contain the user accounts. If the 
replication agreement is configured to use the top level user OU, all sub-OU's 
are also replicated. This means that you can place Windows user (system) 
accounts that you do NOT want replicated to IPA in the standard Users folder. 
It's pretty much best practise to use OU's within Windows AD anyway. For 
accounts to sync they MUST be populated with both First Name and Last Name 
fields. Users without a Last Name will not replicate and errors on the IPA 
server regarding missing 'sn' paramaters will result.

If there are multiple AD servers hosting multiple OU, then we use domain 
feature in sssd to do search base on each OU.  This enables to search through 
multiple OU base on number of domains defined in sssd.

FreeIPA and sssd are great tools to help scaling the hierarchical OU structure 
in AD.

> LDAP authentication against nested OU
> -------------------------------------
>
>                 Key: KNOX-536
>                 URL: https://issues.apache.org/jira/browse/KNOX-536
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.5.0, 0.6.0, 0.7.0
>         Environment: All
>            Reporter: Jeffrey E  Rodriguez
>             Fix For: 0.10.0
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Knox Gateway provides HTTP BASIC authentication against an LDAP user 
> directory. It currently supports only a single Organizational Unit (OU) and 
> does not support nested OUs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to