[ 
https://issues.apache.org/jira/browse/KNOX-3358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sandor Molnar updated KNOX-3358:
--------------------------------
    Description: 
The embedded LDAP service provided by the Knox Gateway currently permits 
anonymous access. Any client that can reach the service port is able to perform 
binds and searches without supplying any credentials, which is not appropriate 
for environments where the directory interface should be restricted to 
authenticated callers.

This improvement introduces optional, operator-configurable bind credentials
for the embedded LDAP service:
 * {{gateway.ldap.bind.user}} - the bind DN clients must authenticate as
 * {{gateway_ldap_bind_password}} - the password for that bind DN, saved as an 
alias in the gateway-level credential store

When both properties are configured, anonymous access to the embedded LDAP 
service is disabled and clients are required to authenticate with the 
configured credentials in order to perform LDAP operations. When the properties 
are left unset, the service continues to allow anonymous access as before, so 
existing deployments are unaffected.

This gives administrators a simple way to control access to the embedded LDAP 
service without changing how internal lookups (backend proxying, group and 
roles resolution) are performed.

  was:
The embedded LDAP service provided by the Knox Gateway currently permits 
anonymous access. Any client that can reach the service port is able to perform 
binds and searches without supplying any credentials, which is not appropriate 
for environments where the directory interface should be restricted to 
authenticated callers.

This improvement introduces optional, operator-configurable bind credentials
for the embedded LDAP service:
 * {{gateway.ldap.bind.user}} - the bind DN clients must authenticate as
 * {{gateway.ldap.bind.password }}- the password for that bind DN

When both properties are configured, anonymous access to the embedded LDAP 
service is disabled and clients are required to authenticate with the 
configured credentials in order to perform LDAP operations. When the properties 
are left unset, the service continues to allow anonymous access as before, so 
existing deployments are unaffected.

This gives administrators a simple way to control access to the embedded LDAP 
service without changing how internal lookups (backend proxying, group and 
roles resolution) are performed.


> Support configurable bind credentials for the embedded Knox LDAP service
> ------------------------------------------------------------------------
>
>                 Key: KNOX-3358
>                 URL: https://issues.apache.org/jira/browse/KNOX-3358
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The embedded LDAP service provided by the Knox Gateway currently permits 
> anonymous access. Any client that can reach the service port is able to 
> perform binds and searches without supplying any credentials, which is not 
> appropriate for environments where the directory interface should be 
> restricted to authenticated callers.
> This improvement introduces optional, operator-configurable bind credentials
> for the embedded LDAP service:
>  * {{gateway.ldap.bind.user}} - the bind DN clients must authenticate as
>  * {{gateway_ldap_bind_password}} - the password for that bind DN, saved as 
> an alias in the gateway-level credential store
> When both properties are configured, anonymous access to the embedded LDAP 
> service is disabled and clients are required to authenticate with the 
> configured credentials in order to perform LDAP operations. When the 
> properties are left unset, the service continues to allow anonymous access as 
> before, so existing deployments are unaffected.
> This gives administrators a simple way to control access to the embedded LDAP 
> service without changing how internal lookups (backend proxying, group and 
> roles resolution) are performed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to