[jira] [Commented] (KNOX-40) Verify LDAP over SSL

Wed, 06 Nov 2013 14:25:07 -0800 

    [ 
https://issues.apache.org/jira/browse/KNOX-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13815378#comment-13815378
 ] 

Sergey Balan commented on KNOX-40:
----------------------------------

Status:
On my environment LDAPS over SSL works.

How to setup Knox over SSL:
1. Add LDAP server's certificate to the Knox CA (see attached 
LDAP_cert_to_catrust.cmd as example):
 keytool  -import -trustcacerts -alias CERT_ALIAS -file CERT_FILE_NAME 
-keystore gateway.jks -storepass YOUR_STORAGE_PASSWORD

2. In the sandbox.xml the following changes should be done (you can see example 
in the attachment):
- change "main.ldapRealm.contextFactory.url" parameter value as the following 
"ldap://HOST:PORT"; where HOST - LDAP address and PORT - LDAP secure port
- add new 
"main.ldapRealm.contextFactory.environment[java.naming.security.protocol]" 
parameter with "ssl" value.

Known limitations:
1. If Knox and LDAP server run on the same host then ldap url should have the 
following format ldap://localhost:port. You can't use your host IP.
2. Be sure if your Apache DS contains the following fix: 
https://issues.apache.org/jira/browse/DIRSTUDIO-848

> Verify LDAP over SSL
> --------------------
>
>                 Key: KNOX-40
>                 URL: https://issues.apache.org/jira/browse/KNOX-40
>             Project: Apache Knox
>          Issue Type: Test
>          Components: Server
>    Affects Versions: 0.2.0
>            Reporter: Kevin Minder
>            Assignee: Sergey Balan
>             Fix For: 0.3.0
>
>         Attachments: LDAP_cert_to_catrust.cmd, sandbox.xml, users.ldif
>
>
> From BUG-4318
> Verify configuration where LDAP authentication occurs over SSL.  Currently in 
> or 0.1.0 milestone we use ApacheDS to setup an LDAP endpoint.  We use this 
> for authentication but to do that we need to propagate the password collected 
> via a HTTP Basic Auth challenge.  Right now communication with LDAP (ie 
> ApacheDS) is done over a non-secure transport.  For this task we need to 
> figure out how to setup ApacheDS to use SSL and then ensure that the gateway 
> can communicate with it over SSL.  The ApacheDS we are using can be found in 
> the gateway-test-ldap module.  We are using Apache Shiro to perform the 
> authentication.  This can be found in the gateway-provider-security-shiro.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to