[
https://issues.apache.org/jira/browse/KNOX-3328?focusedWorklogId=1021258&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1021258
]
ASF GitHub Bot logged work on KNOX-3328:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/May/26 13:18
Start Date: 20/May/26 13:18
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #1236:
URL: https://github.com/apache/knox/pull/1236
[KNOX-3328](https://issues.apache.org/jira/browse/KNOX-3328) - Support
recursive group resolution in LDAP Proxy Service
## What changes were proposed in this pull request?
This PR introduces recursive group resolution to the `LdapProxyBackend`. Key
changes include:
- **Recursive Logic**: Implemented Breadth-First Search (BFS) for group
resolution. When enabled, Knox will traverse the group hierarchy to find all
transitive memberships.
- **Cycle Detection**: Uses a visited Set to track processed DNs, ensuring
that circular group references (e.g., Group A -> Group B -> Group A) do not
cause infinite loops.
- **Depth Limiting**: Added a new configuration gateway.ldap.group.max.depth
(default 10) to limit how deep the recursion goes, protecting the Gateway from
excessive LDAP round-trips.
- **Group Enrichment**: Updated `LdapProxyBackend.getUser` to search both
the user and group search bases. This allows group entries to be returned as
"proxy entries" enriched with their own `memberOf` attributes.
- **Optimized Attribute Fetching**: Implemented a hybrid lookup strategy.
Initial user/entry lookups fetch all attributes `(*, +)` to ensure complete
profile data, while recursive steps specifically request only the `memberOf`
and operational attributes `(+)` to minimize network payload and processing
overhead.
- **New Configuration Properties**:
- gateway.ldap.recursive.group.resolution: Boolean to enable/disable the
feature.
- gateway.ldap.group.max.depth: Integer to control recursion depth.
## How was this patch tested?
The patch was tested using the LdapProxyBackendTest suite with an embedded
ApacheDS server.
- Unit Tests: Added 4 new test cases to LdapProxyBackendTest:
- `testGetUserGroupsRecursive`: Verifies 3-level deep nesting is resolved
correctly.
- `testGetUserGroupsRecursiveCircular`: Verifies that circular references
are handled without errors.
- `testGetUserGroupsRecursiveMaxDepth`: Verifies that the recursion stops
at the configured depth.
- `testGetUserGroupsRecursiveUseMemberOf`: Verifies recursive resolution
when `useMemberOf` is set to `true`.
- Test Data: Updated `ldap-proxy-backend-test.ldif` to include nested
groups, circular groups, and groups with `memberOf` attributes.
## Integration Tests
Automated unit tests were added to gateway-server. These tests use an
embedded LDAP server to simulate a real-world proxy scenario, which provides
high-fidelity verification of the recursive logic and LDAP protocol handling.
No changes were required to .github/workflows/tests as the standard test suite
covers these new unit tests.
## UI changes
N/A
Issue Time Tracking
-------------------
Worklog Id: (was: 1021258)
Remaining Estimate: 0h
Time Spent: 10m
> Support recursive group resolution in LDAP Proxy Service
> --------------------------------------------------------
>
> Key: KNOX-3328
> URL: https://issues.apache.org/jira/browse/KNOX-3328
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 3.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The current Knox LDAP proxy implementation only supports direct group
> memberships for users. When a client queries for a user's {{memberOf}}
> attribute, Knox only returns the groups where the user is an explicit member,
> ignoring any transitive or nested group memberships.
> Additionally, group entries themselves are not enriched with the {{memberOf}}
> attribute, making it difficult for clients to walk the hierarchy manually.
> This task implements:
> # Recursive group resolution for both search-based and {{memberOf}}-based
> lookups.
> # Strict cycle detection to prevent infinite loops in misconfigured LDAP
> environments.
> # Configurable depth limits to prevent performance degradation.
> # Enrichment of group-type entries with the {{memberOf}} attribute, allowing
> clients to see parent group memberships.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
