Dilli Arumugam created KNOX-242:
-----------------------------------
Summary: knox needs to support basedn, search attribute based
LDAP authentication
Key: KNOX-242
URL: https://issues.apache.org/jira/browse/KNOX-242
Project: Apache Knox
Issue Type: Improvement
Components: Server
Reporter: Dilli Arumugam
To set the context, here is the authentication provider specification in a
Knox topology file:
<provider>
<role>authentication</role>
<enabled>true</enabled>
<name>ShiroProvider</name>
<param>
<name>main.ldapRealm</name>
<value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://localhost:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
This allows configurable userDnTemplate to infer the bindDN based on the
authenticating user name.
However, in enterprise use cases, it is not always possible to infer bindDN
based on authenticating username using a template like this.
We have to do a search in the directory based on the userName mapped to a
configurable attribute name to find the userDN. This means, we should add at
least one additional configuration parameter such as
userSearchTemplate.
An example value for userSearchTemplate
(&(uid={0})(objectclass=inetorgperson))
BaseDN for search can be specified as part of
contextFactory.url
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
