[
https://issues.apache.org/jira/browse/KNOX-3318?focusedWorklogId=1020824&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1020824
]
ASF GitHub Bot logged work on KNOX-3318:
----------------------------------------
Author: ASF GitHub Bot
Created on: 18/May/26 14:34
Start Date: 18/May/26 14:34
Worklog Time Spent: 10m
Work Description: handavid commented on code in PR #1227:
URL: https://github.com/apache/knox/pull/1227#discussion_r3259684496
##########
knox-site/docs/service_ldap_server.md:
##########
@@ -0,0 +1,150 @@
+# Knox LDAP Service
+
+The Knox LDAP Service provides an embedded LDAP server within the Knox
Gateway. It acts as a pluggable LDAP proxy or facade, allowing Knox to expose a
standard LDAP interface to clients while fetching user and group information
from various backends.
+
+## Overview
+
+Introduced in [KNOX-3247](https://issues.apache.org/jira/browse/KNOX-3247),
the Knox LDAP Service leverages Apache Directory Server (ApacheDS) to provide a
lightweight, embedded LDAP server. Its primary goal is to provide a consistent
LDAP interface for authentication and group lookups, even when the underlying
identity store is not a traditional LDAP server or is a remote server that
requires proxying.
+
+Key features include:
+- **Pluggable Backends**: Support for different data sources (JSON files,
remote LDAP/AD).
+- **Embedded Server**: No need for an external LDAP server for simple use
cases or testing.
+- **Active Directory Integration**: Optimized for proxying to AD with support
for `sAMAccountName` and `memberOf`.
Review Comment:
`memberOf` handling isn't specific to AD.
##########
knox-site/docs/service_ldap_server.md:
##########
@@ -0,0 +1,150 @@
+# Knox LDAP Service
+
+The Knox LDAP Service provides an embedded LDAP server within the Knox
Gateway. It acts as a pluggable LDAP proxy or facade, allowing Knox to expose a
standard LDAP interface to clients while fetching user and group information
from various backends.
+
+## Overview
+
+Introduced in [KNOX-3247](https://issues.apache.org/jira/browse/KNOX-3247),
the Knox LDAP Service leverages Apache Directory Server (ApacheDS) to provide a
lightweight, embedded LDAP server. Its primary goal is to provide a consistent
LDAP interface for authentication and group lookups, even when the underlying
identity store is not a traditional LDAP server or is a remote server that
requires proxying.
+
+Key features include:
+- **Pluggable Backends**: Support for different data sources (JSON files,
remote LDAP/AD).
+- **Embedded Server**: No need for an external LDAP server for simple use
cases or testing.
+- **Active Directory Integration**: Optimized for proxying to AD with support
for `sAMAccountName` and `memberOf`.
+- **Dynamic Schema**: Automatically handles common LDAP/AD attributes even if
they aren't part of the base ApacheDS schema.
Review Comment:
we don't have any special handling yet for attributes that aren't part of
the base schema other than `sAMAccountName` and `memberOf`
##########
knox-site/docs/service_ldap_server.md:
##########
@@ -0,0 +1,150 @@
+# Knox LDAP Service
+
+The Knox LDAP Service provides an embedded LDAP server within the Knox
Gateway. It acts as a pluggable LDAP proxy or facade, allowing Knox to expose a
standard LDAP interface to clients while fetching user and group information
from various backends.
+
+## Overview
+
+Introduced in [KNOX-3247](https://issues.apache.org/jira/browse/KNOX-3247),
the Knox LDAP Service leverages Apache Directory Server (ApacheDS) to provide a
lightweight, embedded LDAP server. Its primary goal is to provide a consistent
LDAP interface for authentication and group lookups, even when the underlying
identity store is not a traditional LDAP server or is a remote server that
requires proxying.
+
+Key features include:
+- **Pluggable Backends**: Support for different data sources (JSON files,
remote LDAP/AD).
+- **Embedded Server**: No need for an external LDAP server for simple use
cases or testing.
+- **Active Directory Integration**: Optimized for proxying to AD with support
for `sAMAccountName` and `memberOf`.
+- **Dynamic Schema**: Automatically handles common LDAP/AD attributes even if
they aren't part of the base ApacheDS schema.
+
+## Architecture
+
+The Knox LDAP Service is integrated as a core gateway service. It consists of
the following components:
+
+1. **KnoxLDAPServerManager**: Manages the lifecycle of the ApacheDS instance.
+2. **GroupLookupInterceptor**: A custom ApacheDS interceptor that captures
search requests. If an entry is not found in the local ApacheDS partitions, it
delegates the lookup to the configured backend.
+3. **LdapBackend**: A pluggable interface for fetching user and group data.
+4. **SchemaManagerFactory**: Programmatically extends the ApacheDS schema to
include AD-specific attributes like `memberOf` and `sAMAccountName`.
+
+When a client performs an LDAP search:
+1. The request hits the embedded ApacheDS server.
+2. The `GroupLookupInterceptor` intercepts the search.
+3. The interceptor attempts to find the user/group locally.
Review Comment:
nit: wording is a bit confusing. The interceptor checks the results of the
local search. The interceptor itself is not attempting to find the user/group
locally.
##########
knox-site/docs/service_ldap_server.md:
##########
@@ -0,0 +1,150 @@
+# Knox LDAP Service
+
+The Knox LDAP Service provides an embedded LDAP server within the Knox
Gateway. It acts as a pluggable LDAP proxy or facade, allowing Knox to expose a
standard LDAP interface to clients while fetching user and group information
from various backends.
+
+## Overview
+
+Introduced in [KNOX-3247](https://issues.apache.org/jira/browse/KNOX-3247),
the Knox LDAP Service leverages Apache Directory Server (ApacheDS) to provide a
lightweight, embedded LDAP server. Its primary goal is to provide a consistent
LDAP interface for authentication and group lookups, even when the underlying
identity store is not a traditional LDAP server or is a remote server that
requires proxying.
+
+Key features include:
+- **Pluggable Backends**: Support for different data sources (JSON files,
remote LDAP/AD).
+- **Embedded Server**: No need for an external LDAP server for simple use
cases or testing.
+- **Active Directory Integration**: Optimized for proxying to AD with support
for `sAMAccountName` and `memberOf`.
+- **Dynamic Schema**: Automatically handles common LDAP/AD attributes even if
they aren't part of the base ApacheDS schema.
+
+## Architecture
+
+The Knox LDAP Service is integrated as a core gateway service. It consists of
the following components:
+
+1. **KnoxLDAPServerManager**: Manages the lifecycle of the ApacheDS instance.
+2. **GroupLookupInterceptor**: A custom ApacheDS interceptor that captures
search requests. If an entry is not found in the local ApacheDS partitions, it
delegates the lookup to the configured backend.
+3. **LdapBackend**: A pluggable interface for fetching user and group data.
+4. **SchemaManagerFactory**: Programmatically extends the ApacheDS schema to
include AD-specific attributes like `memberOf` and `sAMAccountName`.
Review Comment:
`memberOf` isn't specific to AD.
Issue Time Tracking
-------------------
Worklog Id: (was: 1020824)
Time Spent: 40m (was: 0.5h)
> Document Knox LDAP Server feature in the User Guide
> ---------------------------------------------------
>
> Key: KNOX-3318
> URL: https://issues.apache.org/jira/browse/KNOX-3318
> Project: Apache Knox
> Issue Type: Task
> Components: Document
> Affects Versions: 3.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Recent improvements in KNOX-3247 and KNOX-3277 implemented an embedded LDAP
> server/proxy within Knox. This task adds a comprehensive documentation page
> (service_ldap_server.md) to the knox-site module. The new documentation
> covers the service's architecture, configuration properties for both file and
> proxy backends, and specific optimizations for Active Directory integration.
> The page has been integrated into the "{{{}Client/User Guide{}}}" section of
> the official documentation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
