handavid commented on PR #1177:
URL: https://github.com/apache/knox/pull/1177#issuecomment-4098879633
> Thanks, @handavid, for your contribution. May I ask you to provide some
information about the manual testing you did which includes the topology and
the relevant settings? This would help us in the future to see the setup if we
needed configure this feature for our own tests. Thanks!
@smolnar82
Here's a snipped of the gateway-site.xml that configures the LDAP Proxy and
Backend. I've included configs for either the knox test ldap server or some AD
server.
```
<!-- LDAP Proxy Service Configuration -->
<property>
<name>gateway.ldap.enabled</name>
<value>true</value>
<description>Enable the embedded LDAP service for user and group
lookups. Set to true to enable.</description>
</property>
<property>
<name>gateway.ldap.port</name>
<value>3890</value>
<description>Port for the LDAP service to listen on. Default is
3890.</description>
</property>
<property>
<name>gateway.ldap.base.dn</name>
<value>dc=proxy,dc=com</value>
<description>Base DN for LDAP entries in the proxy server. Default
is dc=proxy,dc=com.</description>
</property>
<property>
<name>gateway.ldap.backend.type</name>
<value>ldap</value>
<description>Backend type for LDAP service. Currently supported:
file, ldap. Future: jdbc, knox.</description>
</property>
<!-- LDAP backend proxy configuration using knox test LDAP server -->
<!--
<property>
<name>gateway.ldap.backend.ldap.url</name>
<value>ldap://localhost:33389</value>
<description>LDAP server URL for proxy backend</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.remoteBaseDn</name>
<value>dc=hadoop,dc=apache,dc=org</value>
<description>Base DN of the remote LDAP server</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.systemUsername</name>
<value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
<description>LDAP bind DN for proxy backend
authentication</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.systemPassword</name>
<value>guest-password</value>
<description>LDAP bind password for proxy backend
authentication</description>
</property>
<property>
<name>gateway.ldap.backend.data.file</name>
<value>${GATEWAY_DATA_HOME}/ldap-users.json</value>
<description>Path to JSON data file for file-based backend. Supports
${GATEWAY_DATA_HOME} variable.</description>
</property>
-->
<!-- LDAP backend proxy configuration using AD -->
<property>
<name>gateway.ldap.backend.ldap.url</name>
<value>ldap://<AD host>:389</value>
<description>LDAP server URL for proxy backend</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.remoteBaseDn</name>
<value><REMOTE BASE DN></value>
<description>Base DN of the remote LDAP server</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.systemUsername</name>
<value>cn=<REMOTE USERNAME>,cn=Users,<REMOTE BASE DN></value>
<description>LDAP bind DN for proxy backend
authentication</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.systemPassword</name>
<value><REMOTE PASSWORD></value>
<description>LDAP bind password for proxy backend
authentication</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.userIdentifierAttribute</name>
<!-- configure attribute to be used for user search against backend.
Usually uid, cn, or sAMAccountName -->
<!-- <value>cn</value> -->
<value>sAMAccountName</value>
<description>Attribute used for identifying users</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.userSearchBase</name>
<value>cn=users,<REMOTE BASE DN></value>
<description>Search base for users</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.groupSearchBase</name>
<value>ou=groups,<REMOTE BASE DN></value>
<description>Search base for groups</description>
</property>
<property>
<name>gateway.ldap.backend.ldap.useMemberOf</name>
<value>true</value>
<description>Whether to use the memberOf attribute for efficiency
when retrieving group memberships</description>
</property>
```
After building knox, I ran the following commands to install and start the
test gateway
```
ant install-test-home
# update the gateway-site.xml with the above configs
ant start-test-gateway
```
I then tested using `ldapsearch` against the LDAP proxy and verified that
the returned information matched the queries against AD
```
# single user search
ldapsearch -v -x -H ldap://localhost:3890 -b '<REMOTE BASE DN>'
'(sAMAccountName=username)'
ldapsearch -v -x -H ldap://localhost:3890 -b '<REMOTE BASE DN>'
'(cn=username)'
# user substring search
ldapsearch -v -x -H ldap://localhost:3890 -b '<REMOTE BASE DN>'
'(sAMAccountName=substring*)'
ldapsearch -v -x -H ldap://localhost:3890 -b '<REMOTE BASE DN>'
'(cn=substring*)'
ldapsearch -v -x -H ldap://localhost:3890 -b '<REMOTE BASE DN>'
'(sAMAccountName=*)'
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
