Hi, The KDC server it sets its search base when the server is initialized. This string is set to search in a specific OU in the LDAP (ou=Users,dc=wso2,dc=org). As a tenant is mapped to a OU in LDAP in the current implementation, the realm in KDC refers to a collection of OU's.
for e.g. -dc=wso2,dc=org |_ou=Groups |_ou=tenant.com | |_ou=groups | |_ou=users |_ou=Users The issue here is that, when I need to generate a TGT for a tenant user who resides outside the OU, that is set to be searched on (ou=Users,dc=wso2,dc=org), and inside another OU (ou=tenant.com,ou=users,dc=wso2,dc=org), the KDC fails to locate this user. If there is a mechanism to change the KDC search base via a client side configuration when the server is running, then It could fix the problem. i.e. to have a client configuration to be passed every time a TGT is requested(at every login) to let the KDC know where to search for the user. I would need another 1 or 2 days to look into a possible solution to this. Since the SS release date is set to be on the 17th Dec, I have done a workaround, which is a temporary fix to search for users starting from the root in the LDAP tree. This will be a change in the* KdcConfiguration.java *in the *ldap-server* component (KDC is only used by SS at the moment). I agree that this is a performance hit, in the long run. But since there are more tasks that are equally important and needs work to be done in the HDFS front, such as, starting the datanode as a SS node, starting the server with a port offset, and functionality bug fixes, done before end of the week, I will leave this implementation as it is(with the workaround) and move on. If time permits, I will look into the more optimal solution. Please let me know of any concerns. -- Thanks and Regards *, Shani Ranasinghe* Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 77 2273555 linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
