[
https://issues.apache.org/jira/browse/KNOX-3358?focusedWorklogId=1026314&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1026314
]
ASF GitHub Bot logged work on KNOX-3358:
----------------------------------------
Author: ASF GitHub Bot
Created on: 22/Jun/26 21:44
Start Date: 22/Jun/26 21:44
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #1275:
URL: https://github.com/apache/knox/pull/1275
[KNOX-3358](https://issues.apache.org/jira/browse/KNOX-3358) - Support
configurable bind credentials for the embedded Knox LDAP service
## What changes were proposed in this pull request?
The embedded Knox LDAP service (`KnoxLDAPService` /
`KnoxLDAPServerManager`) called
`directoryService.setAllowAnonymousAccess(true)` unconditionally, so any client
could query the server with no credentials:
```
$ ldapsearch -x -H ldap://localhost:33390 -b "" "(uid=admin)" cn mail
memberOf
```
succeeds with no `-D` / `-W`.
This PR lets operators put the embedded server behind a bind user:
- **`gateway.ldap.bind.user`** (new `gateway-site.xml` property) — the
full bind DN clients must authenticate as (e.g.
`uid=knox,ou=people,dc=hadoop,dc=apache,dc=org`).
- **`gateway.ldap.bind.password`** (credential store alias) — the bind
password, resolved from the gateway credential store via `AliasService` rather
than stored in plaintext.
Behavior:
- When a bind user is configured **and** the `gateway.ldap.bind.password`
alias resolves to a non-blank value, anonymous access is disabled and a bind
entry (`inetOrgPerson`) is created for the configured DN via the privileged
admin session. Clients **must** then bind with those credentials.
- Otherwise (the default), anonymous access remains enabled exactly as
before — fully backward compatible.
The bind DN's parent container must already exist: the server auto-creates
`ou=people,{base.dn}` and `ou=groups,{base.dn}` (and `ou=system` always
exists), so the bind DN must sit under one of those.
Changes:
- `GatewayConfig` / `GatewayConfigImpl` / `GatewayTestConfig`: new
`gateway.ldap.bind.user` property and `getLDAPBindUser()` getter.
- `KnoxLDAPService`: gains an `AliasService` dependency
(`setAliasService(...)`), injected by `LdapServiceFactory`, and passes it to
the server manager.
- `KnoxLDAPServerManager`: reads the bind user from config and the bind
password from the `gateway.ldap.bind.password` gateway alias; conditionally
disables anonymous access; new `createBindUser(...)` adds the bind entry.
- `LdapMessages`: new INFO log emitted when bind enforcement is enabled.
- Docs: `knox-site/docs/service_ldap_server.md` — new "Bind Credentials"
section (including the base DN ↔ bind DN relationship and a worked example)
plus an updated _Anonymous Access_ note.
## How was this patch tested?
- Added unit tests in `KnoxLDAPServerManagerTest` that start a real
embedded server and use `LdapNetworkConnection` (with a mocked `AliasService`
resolving the bind password) to verify:
- anonymous bind is rejected when bind credentials are configured;
- binding with the configured DN/password succeeds and can search;
- binding with a wrong password is rejected
(`LdapAuthenticationException`);
- anonymous access still works when no bind credentials are configured
(backward compat).
- Updated `KnoxLDAPServiceTest` for the new `AliasService` dependency and
the `getLDAPBindUser()` lookup.
- `mvn -pl gateway-server test
-Dtest=KnoxLDAPServerManagerTest,KnoxLDAPServiceTest` → BUILD SUCCESS, 25 tests
pass; Checkstyle and PMD clean.
- Manual end-to-end with `gateway.ldap.enabled=true`,
`gateway.ldap.port=33390`,
`gateway.ldap.base.dn=dc=hadoop,dc=apache,dc=org`,
`gateway.ldap.bind.user=uid=knox,ou=people,dc=hadoop,dc=apache,dc=org`,
and the
`gateway.ldap.bind.password` alias created via
`knoxcli.sh create-alias gateway.ldap.bind.password --value <password>`:
- `ldapsearch -x -H ldap://localhost:33390 -b "" "(uid=admin)" cn` →
fails (anonymous denied)
- `ldapsearch -x -H ldap://localhost:33390 -D
"uid=knox,ou=people,dc=hadoop,dc=apache,dc=org" -w <password> -b ""
"(uid=admin)" cn mail memberOf` → succeeds
## Integration Tests
No new workflow integration tests were added; the feature is covered by the
unit tests above, which exercise a real embedded LDAP server over a live socket
(bind + search).
## UI changes
N/A
Issue Time Tracking
-------------------
Worklog Id: (was: 1026314)
Remaining Estimate: 0h
Time Spent: 10m
> Support configurable bind credentials for the embedded Knox LDAP service
> ------------------------------------------------------------------------
>
> Key: KNOX-3358
> URL: https://issues.apache.org/jira/browse/KNOX-3358
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The embedded LDAP service provided by the Knox Gateway currently permits
> anonymous access. Any client that can reach the service port is able to
> perform binds and searches without supplying any credentials, which is not
> appropriate for environments where the directory interface should be
> restricted to authenticated callers.
> This improvement introduces optional, operator-configurable bind credentials
> for the embedded LDAP service:
> * {{gateway.ldap.bind.user}} - the bind DN clients must authenticate as
> * {{gateway.ldap.bind.password }}- the password for that bind DN
> When both properties are configured, anonymous access to the embedded LDAP
> service is disabled and clients are required to authenticate with the
> configured credentials in order to perform LDAP operations. When the
> properties are left unset, the service continues to allow anonymous access as
> before, so existing deployments are unaffected.
> This gives administrators a simple way to control access to the embedded LDAP
> service without changing how internal lookups (backend proxying, group and
> roles resolution) are performed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
