hanicz opened a new pull request, #1250: URL: https://github.com/apache/knox/pull/1250
[KNOX-3336](https://issues.apache.org/jira/browse/KNOX-3336) - New LDAP Service Factory ## What changes were proposed in this pull request? - Moved the LDAP Service creation into its own factory class to follow the existing pattern - Bugfix: If `ldap.enabled` was set to `false` initially reloadable configs wouldn't mater because the LDAP service was unable to start. The isLDAPEnabled guard is no longer needed in DefaultGatewayServices because KnoxLDAPService.init() already handles it — when disabled, it simply sets enabled = false and returns, making start()/stop() no-ops. The service object is lightweight when inert, and keeping it alive lets onGatewayConfigChanged() dynamically enable LDAP without a gateway restart. ## How was this patch tested? Unit tests, local test with reloadable. Manual test: Started a local Knox and LDAP instance. Changed the knoxsso ldap port to 3890 and tried to login into the homepage which failed. Updated the gateway-reloadable.xml with the below ldap configs and I was able to log into the homepage. ``` 2026-06-08 18:00:34,783 INFO knox.gateway (GatewayServer.java:refreshGatewayConfig(275)) - Refreshed gateway config 2026-06-08 18:00:34,786 INFO services.ldap (KnoxLDAPService.java:onGatewayConfigChanged(87)) - Reloading LDAP configuration 2026-06-08 18:00:34,798 INFO services.ldap (KnoxLDAPServerManager.java:stop(240)) - Stopping LDAP service on port 0 2026-06-08 18:00:34,798 INFO services.ldap (KnoxLDAPServerManager.java:stop(260)) - LDAP service stopped successfully 2026-06-08 18:00:34,800 INFO services.ldap (InterceptorFactory.java:createInterceptor(49)) - Creating interceptor: backend (via ServiceLoader) 2026-06-08 18:00:34,801 INFO services.ldap (BackendFactory.java:createBackend(46)) - Loading backend: ldap (via ServiceLoader) 2026-06-08 18:00:34,804 INFO services.ldap (LdapProxyBackend.java:<init>(146)) - Loading backend: localldap (via Proxying dc=proxy,dc=com to ldap://localhost:33389 (dc=hadoop,dc=apache,dc=org) with uid attribute using group searches) 2026-06-08 18:00:34,819 INFO services.ldap (LdapProxyBackend.java:initializeConnectionPool(201)) - Loading backend: ldap (via Initialized connection pool with maxActive=8) 2026-06-08 18:00:34,819 INFO services.ldap (KnoxLDAPServerManager.java:start(133)) - Starting LDAP service on port 3,890 with base DN: dc=proxy,dc=com 2026-06-08 18:00:35,110 INFO services.ldap (KnoxLDAPServerManager.java:start(186)) - LDAP service started successfully on port 3,890 ``` knoxsso.xml: ``` <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://localhost:3890</value> </param> ``` gateway-reloadable.xml ``` <!-- LDAP Proxy Service Configuration --> <property> <name>gateway.ldap.enabled</name> <value>true</value> <description>Enable the embedded LDAP service for user and group lookups. Set to true to enable.</description> </property> <property> <name>gateway.ldap.port</name> <value>3890</value> <description>Port for the LDAP service to listen on. Default is 3890.</description> </property> <property> <name>gateway.ldap.base.dn</name> <value>dc=proxy,dc=com</value> <description>Base DN for LDAP entries in the proxy server. Default is dc=proxy,dc=com.</description> </property> <property> <name>gateway.ldap.interceptor.names</name> <value>localldap</value> <description>Interceptor names for LDAP service.</description> </property> <!-- Local LDAP Server --> <property> <name>gateway.ldap.interceptor.localldap.interceptorType</name> <value>backend</value> <description>Type of interceptor. Currently supported: backend, duplicateuserfilter</description> </property> <property> <name>gateway.ldap.interceptor.localldap.backendType</name> <value>ldap</value> <description>Type of backend. Currently supported: file, ldap. Future: jdbc, knox.</description> </property> <property> <name>gateway.ldap.interceptor.localldap.url</name> <value>ldap://localhost:33389</value> <description>LDAP server URL for proxy backend</description> </property> <property> <name>gateway.ldap.interceptor.localldap.remoteBaseDn</name> <value>dc=hadoop,dc=apache,dc=org</value> <description>Base DN of the remote LDAP server</description> </property> <property> <name>gateway.ldap.interceptor.localldap.systemUsername</name> <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value> <description>LDAP bind DN for proxy backend authentication</description> </property> <property> <name>gateway.ldap.interceptor.localldap.systemPassword</name> <value>guest-password</value> <description>LDAP bind password for proxy backend authentication</description> </property> ``` ## Integration Tests N/A ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
