Yes. As is typical with SSL setup this can be complex but it is covered in the User’s Guide. http://knox.apache.org/books/knox-0-6-0/user-guide.html#Authentication
From: Aneela Saleem Reply-To: "[email protected]<mailto:[email protected]>" Date: Monday, July 27, 2015 at 1:36 PM To: "[email protected]<mailto:[email protected]>" Subject: Re: Apache Knox Web API Ok what if a forget startTLS thing and start with LDAPS, is it supported in Shiro LDAP Realm? On Mon, Jul 27, 2015 at 8:46 PM, Kevin Minder <[email protected]<mailto:[email protected]>> wrote: Ok did a bit more digging and it looks like the Shiro LDAP Realm we are using does not implement StartTLS. It seems as though other Shiro Realm implementations do as evidence here http://jmchung.github.io/blog/2014/10/03/integrating-shiro-with-cas-authentication-via-ldap/ But I see no evidence that the JndiLdapRealm upon which the KnoxLdapRealm is based has the code described here for StartTLS support. https://docs.oracle.com/javase/jndi/tutorial/ldap/ext/starttls.html This would be a valuable are for you to contribute to either Knox or Shiro if this capability is important for your use case. Also note that LDAPS should provide equivalent security. From: Aneela Saleem Reply-To: "[email protected]<mailto:[email protected]>" Date: Monday, July 27, 2015 at 11:07 AM To: "[email protected]<mailto:[email protected]>" Subject: Re: Apache Knox Web API I just tried to enable startTLS for LDAP. I just followed this link: https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls On Mon, Jul 27, 2015 at 8:02 PM, Kevin Minder <[email protected]<mailto:[email protected]>> wrote: Well what have you changed since it last worked? From: Aneela Saleem Reply-To: "[email protected]<mailto:[email protected]>" Date: Monday, July 27, 2015 at 11:01 AM To: "[email protected]<mailto:[email protected]>" Subject: Re: Apache Knox Web API But what could be the issue as it was working fine before On Mon, Jul 27, 2015 at 7:35 PM, Kevin Minder <[email protected]<mailto:[email protected]>> wrote: In the development branch (called master) we have added several features to help diagnose LDAP issues. However to take advantage of these you will need to build Knox from source as these features are not yet included in an official release. From: Aneela Saleem Reply-To: "[email protected]<mailto:[email protected]>" Date: Monday, July 27, 2015 at 10:26 AM To: "[email protected]<mailto:[email protected]>" Subject: Re: Apache Knox Web API But i did not get your point On Mon, Jul 27, 2015 at 7:22 PM, Kevin Minder <[email protected]<mailto:[email protected]>> wrote: I believe the default LDAP port is 389. Is your OpenLDAP server listening on 389? Otherwise would it be possible for you to build and use the master branch version of Knox. We have recently added several LDAP diagnostics that might help us here. From: Aneela Saleem Reply-To: "[email protected]<mailto:[email protected]>" Date: Monday, July 27, 2015 at 10:14 AM To: "[email protected]<mailto:[email protected]>" Subject: Re: Apache Knox Web API Hi Kevin, I'm using OpenLDAP On Mon, Jul 27, 2015 at 6:59 PM, Kevin Minder <[email protected]<mailto:[email protected]>> wrote: I’m suspecting this <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://localhost</value> </param> What LDAP server are you using? From: Aneela Saleem Reply-To: "[email protected]<mailto:[email protected]>" Date: Sunday, July 26, 2015 at 2:53 PM To: "[email protected]<mailto:[email protected]>" Subject: Re: Apache Knox Web API <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://localhost</value> </param>
