[jira] [Commented] (KNOX-536) LDAP authentication against nested OU

Sun, 09 Oct 2016 12:33:33 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15560498#comment-15560498
 ] 

Eric Yang commented on KNOX-536:
--------------------------------

Larry, sorry for the confusion.  Our Knox is slightly ahead of Apache Knox for 
this feature.  You are correct.  This will become available in Apache Knox 
0.10.0 only.  Example ldif would look something like this:

{code}
dn: OU=Lancaster,DC=DomainName,DC=org
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: Lancaster

dn: OU=AdminOU,OU=Lancaster,DC=DomainName,DC=org
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: AdminOU

dn: OU=StudentsOU,OU=Lancaster,DC=DomainName,DC=org
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: StudentsOU

dn: OU=TrainingOU,OU=Lancaster,DC=DomainName,DC=org
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: TrainingOU
{code}

LDAP standard describes a LDAP-SEARCH as kind of function with 4 parameters:

* The node where the search should begin, which is a Distinguish Name (DN)
* The attributes you want to be brought back
* The depth of the search (base, one-level, subtree)
* The filter

FreeIPA provides ability to configure AD as trusted sources, which maps to each 
DN, and use filter:

{code}
(&(objectCategory=person)(|(ou=StudentsOU)(ou=TrainingOU)))
{code}

This will allow multiple OU appears as one LDAP tree on FreeIPA to enforce 
GUID.  When a new OU is introduced, the filter needs to be fine tuned to ensure 
global uniqueness.  Direct sssd to AD can work, if the user never move between 
nested OU.  However, this is usually not the case, this is the reason that we 
use FreeIPA to manage global uniqueness to safe guard Active Directory side 
effects that SID can change when user moved between OU.

> LDAP authentication against nested OU
> -------------------------------------
>
>                 Key: KNOX-536
>                 URL: https://issues.apache.org/jira/browse/KNOX-536
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.5.0, 0.6.0, 0.7.0
>         Environment: All
>            Reporter: Jeffrey E  Rodriguez
>             Fix For: 0.10.0
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Knox Gateway provides HTTP BASIC authentication against an LDAP user 
> directory. It currently supports only a single Organizational Unit (OU) and 
> does not support nested OUs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to