[
https://issues.apache.org/jira/browse/KNOX-3358?focusedWorklogId=1026316&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1026316
]
ASF GitHub Bot logged work on KNOX-3358:
----------------------------------------
Author: ASF GitHub Bot
Created on: 22/Jun/26 21:54
Start Date: 22/Jun/26 21:54
Worklog Time Spent: 10m
Work Description: smolnar82 commented on PR #1275:
URL: https://github.com/apache/knox/pull/1275#issuecomment-4773417037
Manual testing results:
gateway-site.xml changes:
```
<property>
<name>gateway.ldap.bind.user</name>
<value>uid=knox,ou=people,dc=hadoop,dc=apache,dc=org</value>
</property>
```
Saved the bind password:
```
$ bin/knoxcli.sh create-alias gateway.ldap.bind.password --value knoxsecret
gateway.ldap.bind.password has been successfully created.
```
Restarted Knox.
Logs:
```
2026-06-22 23:50:17,073 INFO services.ldap
(KnoxLDAPServerManager.java:start(205)) - Anonymous access disabled; clients
must bind as: uid=knox,ou=people,dc=hadoop,dc=apache,dc=org
```
Anonymous access denied:
```
$ ldapsearch -x -H ldap://localhost:33390 -b "" "(uid=admin)" cn
ldap_bind: Invalid credentials (49)
additional info: INVALID_CREDENTIALS: Bind failed:
org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
ERR_229 Cannot authenticate user
```
Wrong password:
```
$ ldapsearch -x -H ldap://localhost:33390 -D
"uid=knox,ou=people,dc=hadoop,dc=apache,dc=org" -w wrongPassword -b ""
"(uid=admin)" cn mail memberOf
ldap_bind: Invalid credentials (49)
additional info: INVALID_CREDENTIALS: Bind failed:
org.apache.directory.api.ldap.model.exception.LdapAuthenticationException:
ERR_229 Cannot authenticate user uid=knox,ou=people,dc=hadoop,dc=apache,dc=org
```
Happy path:
```
$ ldapsearch -x -H ldap://localhost:33390 -D
"uid=knox,ou=people,dc=hadoop,dc=apache,dc=org" -w knoxsecret -b ""
"(uid=admin)" cn mail memberOf
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (uid=admin)
# requesting: cn mail memberOf
#
# admin, people, hadoop.apache.org
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
mail: [email protected]
cn: System Administrator
memberOf: cn=admin,ou=groups,dc=hadoop,dc=apache,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
```
Issue Time Tracking
-------------------
Worklog Id: (was: 1026316)
Time Spent: 0.5h (was: 20m)
> Support configurable bind credentials for the embedded Knox LDAP service
> ------------------------------------------------------------------------
>
> Key: KNOX-3358
> URL: https://issues.apache.org/jira/browse/KNOX-3358
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The embedded LDAP service provided by the Knox Gateway currently permits
> anonymous access. Any client that can reach the service port is able to
> perform binds and searches without supplying any credentials, which is not
> appropriate for environments where the directory interface should be
> restricted to authenticated callers.
> This improvement introduces optional, operator-configurable bind credentials
> for the embedded LDAP service:
> * {{gateway.ldap.bind.user}} - the bind DN clients must authenticate as
> * {{gateway.ldap.bind.password }}- the password for that bind DN
> When both properties are configured, anonymous access to the embedded LDAP
> service is disabled and clients are required to authenticate with the
> configured credentials in order to perform LDAP operations. When the
> properties are left unset, the service continues to allow anonymous access as
> before, so existing deployments are unaffected.
> This gives administrators a simple way to control access to the embedded LDAP
> service without changing how internal lookups (backend proxying, group and
> roles resolution) are performed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
