handavid commented on code in PR #1227: URL: https://github.com/apache/knox/pull/1227#discussion_r3259684496
########## knox-site/docs/service_ldap_server.md: ########## @@ -0,0 +1,150 @@ +# Knox LDAP Service + +The Knox LDAP Service provides an embedded LDAP server within the Knox Gateway. It acts as a pluggable LDAP proxy or facade, allowing Knox to expose a standard LDAP interface to clients while fetching user and group information from various backends. + +## Overview + +Introduced in [KNOX-3247](https://issues.apache.org/jira/browse/KNOX-3247), the Knox LDAP Service leverages Apache Directory Server (ApacheDS) to provide a lightweight, embedded LDAP server. Its primary goal is to provide a consistent LDAP interface for authentication and group lookups, even when the underlying identity store is not a traditional LDAP server or is a remote server that requires proxying. + +Key features include: +- **Pluggable Backends**: Support for different data sources (JSON files, remote LDAP/AD). +- **Embedded Server**: No need for an external LDAP server for simple use cases or testing. +- **Active Directory Integration**: Optimized for proxying to AD with support for `sAMAccountName` and `memberOf`. Review Comment: `memberOf` handling isn't specific to AD. ########## knox-site/docs/service_ldap_server.md: ########## @@ -0,0 +1,150 @@ +# Knox LDAP Service + +The Knox LDAP Service provides an embedded LDAP server within the Knox Gateway. It acts as a pluggable LDAP proxy or facade, allowing Knox to expose a standard LDAP interface to clients while fetching user and group information from various backends. + +## Overview + +Introduced in [KNOX-3247](https://issues.apache.org/jira/browse/KNOX-3247), the Knox LDAP Service leverages Apache Directory Server (ApacheDS) to provide a lightweight, embedded LDAP server. Its primary goal is to provide a consistent LDAP interface for authentication and group lookups, even when the underlying identity store is not a traditional LDAP server or is a remote server that requires proxying. + +Key features include: +- **Pluggable Backends**: Support for different data sources (JSON files, remote LDAP/AD). +- **Embedded Server**: No need for an external LDAP server for simple use cases or testing. +- **Active Directory Integration**: Optimized for proxying to AD with support for `sAMAccountName` and `memberOf`. +- **Dynamic Schema**: Automatically handles common LDAP/AD attributes even if they aren't part of the base ApacheDS schema. Review Comment: we don't have any special handling yet for attributes that aren't part of the base schema other than `sAMAccountName` and `memberOf` ########## knox-site/docs/service_ldap_server.md: ########## @@ -0,0 +1,150 @@ +# Knox LDAP Service + +The Knox LDAP Service provides an embedded LDAP server within the Knox Gateway. It acts as a pluggable LDAP proxy or facade, allowing Knox to expose a standard LDAP interface to clients while fetching user and group information from various backends. + +## Overview + +Introduced in [KNOX-3247](https://issues.apache.org/jira/browse/KNOX-3247), the Knox LDAP Service leverages Apache Directory Server (ApacheDS) to provide a lightweight, embedded LDAP server. Its primary goal is to provide a consistent LDAP interface for authentication and group lookups, even when the underlying identity store is not a traditional LDAP server or is a remote server that requires proxying. + +Key features include: +- **Pluggable Backends**: Support for different data sources (JSON files, remote LDAP/AD). +- **Embedded Server**: No need for an external LDAP server for simple use cases or testing. +- **Active Directory Integration**: Optimized for proxying to AD with support for `sAMAccountName` and `memberOf`. +- **Dynamic Schema**: Automatically handles common LDAP/AD attributes even if they aren't part of the base ApacheDS schema. + +## Architecture + +The Knox LDAP Service is integrated as a core gateway service. It consists of the following components: + +1. **KnoxLDAPServerManager**: Manages the lifecycle of the ApacheDS instance. +2. **GroupLookupInterceptor**: A custom ApacheDS interceptor that captures search requests. If an entry is not found in the local ApacheDS partitions, it delegates the lookup to the configured backend. +3. **LdapBackend**: A pluggable interface for fetching user and group data. +4. **SchemaManagerFactory**: Programmatically extends the ApacheDS schema to include AD-specific attributes like `memberOf` and `sAMAccountName`. + +When a client performs an LDAP search: +1. The request hits the embedded ApacheDS server. +2. The `GroupLookupInterceptor` intercepts the search. +3. The interceptor attempts to find the user/group locally. Review Comment: nit: wording is a bit confusing. The interceptor checks the results of the local search. The interceptor itself is not attempting to find the user/group locally. ########## knox-site/docs/service_ldap_server.md: ########## @@ -0,0 +1,150 @@ +# Knox LDAP Service + +The Knox LDAP Service provides an embedded LDAP server within the Knox Gateway. It acts as a pluggable LDAP proxy or facade, allowing Knox to expose a standard LDAP interface to clients while fetching user and group information from various backends. + +## Overview + +Introduced in [KNOX-3247](https://issues.apache.org/jira/browse/KNOX-3247), the Knox LDAP Service leverages Apache Directory Server (ApacheDS) to provide a lightweight, embedded LDAP server. Its primary goal is to provide a consistent LDAP interface for authentication and group lookups, even when the underlying identity store is not a traditional LDAP server or is a remote server that requires proxying. + +Key features include: +- **Pluggable Backends**: Support for different data sources (JSON files, remote LDAP/AD). +- **Embedded Server**: No need for an external LDAP server for simple use cases or testing. +- **Active Directory Integration**: Optimized for proxying to AD with support for `sAMAccountName` and `memberOf`. +- **Dynamic Schema**: Automatically handles common LDAP/AD attributes even if they aren't part of the base ApacheDS schema. + +## Architecture + +The Knox LDAP Service is integrated as a core gateway service. It consists of the following components: + +1. **KnoxLDAPServerManager**: Manages the lifecycle of the ApacheDS instance. +2. **GroupLookupInterceptor**: A custom ApacheDS interceptor that captures search requests. If an entry is not found in the local ApacheDS partitions, it delegates the lookup to the configured backend. +3. **LdapBackend**: A pluggable interface for fetching user and group data. +4. **SchemaManagerFactory**: Programmatically extends the ApacheDS schema to include AD-specific attributes like `memberOf` and `sAMAccountName`. Review Comment: `memberOf` isn't specific to AD. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
