[
https://issues.apache.org/jira/browse/KNOX-3358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated KNOX-3358:
--------------------------------
Description:
The embedded LDAP service provided by the Knox Gateway currently permits
anonymous access. Any client that can reach the service port is able to perform
binds and searches without supplying any credentials, which is not appropriate
for environments where the directory interface should be restricted to
authenticated callers.
This improvement introduces optional, operator-configurable bind credentials
for the embedded LDAP service:
* {{gateway.ldap.bind.user}} - the bind DN clients must authenticate as
* {{gateway_ldap_bind_password}} - the password for that bind DN, saved as an
alias in the gateway-level credential store
When both properties are configured, anonymous access to the embedded LDAP
service is disabled and clients are required to authenticate with the
configured credentials in order to perform LDAP operations. When the properties
are left unset, the service continues to allow anonymous access as before, so
existing deployments are unaffected.
This gives administrators a simple way to control access to the embedded LDAP
service without changing how internal lookups (backend proxying, group and
roles resolution) are performed.
was:
The embedded LDAP service provided by the Knox Gateway currently permits
anonymous access. Any client that can reach the service port is able to perform
binds and searches without supplying any credentials, which is not appropriate
for environments where the directory interface should be restricted to
authenticated callers.
This improvement introduces optional, operator-configurable bind credentials
for the embedded LDAP service:
* {{gateway.ldap.bind.user}} - the bind DN clients must authenticate as
* {{gateway.ldap.bind.password }}- the password for that bind DN
When both properties are configured, anonymous access to the embedded LDAP
service is disabled and clients are required to authenticate with the
configured credentials in order to perform LDAP operations. When the properties
are left unset, the service continues to allow anonymous access as before, so
existing deployments are unaffected.
This gives administrators a simple way to control access to the embedded LDAP
service without changing how internal lookups (backend proxying, group and
roles resolution) are performed.
> Support configurable bind credentials for the embedded Knox LDAP service
> ------------------------------------------------------------------------
>
> Key: KNOX-3358
> URL: https://issues.apache.org/jira/browse/KNOX-3358
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The embedded LDAP service provided by the Knox Gateway currently permits
> anonymous access. Any client that can reach the service port is able to
> perform binds and searches without supplying any credentials, which is not
> appropriate for environments where the directory interface should be
> restricted to authenticated callers.
> This improvement introduces optional, operator-configurable bind credentials
> for the embedded LDAP service:
> * {{gateway.ldap.bind.user}} - the bind DN clients must authenticate as
> * {{gateway_ldap_bind_password}} - the password for that bind DN, saved as
> an alias in the gateway-level credential store
> When both properties are configured, anonymous access to the embedded LDAP
> service is disabled and clients are required to authenticate with the
> configured credentials in order to perform LDAP operations. When the
> properties are left unset, the service continues to allow anonymous access as
> before, so existing deployments are unaffected.
> This gives administrators a simple way to control access to the embedded LDAP
> service without changing how internal lookups (backend proxying, group and
> roles resolution) are performed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)