Kevin,
I have tried. But its. Not working,
Here’s my gateway xml LDAP config
<param name="main.ldapRealm"
value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm" />
<param name="main.ldapContextFactory"
value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory" />
<param name="main.ldapRealm.contextFactory"
value="$ldapContextFactory" />
<param>
<name>main.ldapRealm.authorizationEnabled</name>
<value>true</value>
</param>
<param name="main.ldapRealm.contextFactory.url"
value="ldap://localhost:33389"/>
<param name="main.ldapRealm.contextFactory.systemUsername"
value="uid=admin,ou=people,dc=hadoop,dc=apache,dc=org"/>
<param name="main.ldapRealm.contextFactory.systemPassword"
value="admin-password"/>
<param name="main.ldapRealm.userSearchBase"
value="ou=people,dc=hadoop,dc=apache,dc=org"/>
<param name="main.ldapRealm.userSearchFilter"
value="(&(objectclass=person)(sAMAccountName={2})(|(memberOf=cn=contractor,dc=hadoop,dc=apache,dc=org)(memberOf=cn=scientist,ou=grouds,dc=hadoop,dc=apache,dc=org))"/>
<param name="main.ldapRealm.userObjectClass" value="person"/>
users.ldif
# Please replace with site specific values
dn: dc=hadoop,dc=apache,dc=org
objectclass: organization
objectclass: dcObject
o: Hadoop
dc: hadoop
# Entry for a sample people container
# Please replace with site specific values
dn: ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:organizationalUnit
ou: people
# Entry for a sample contractor container
# Please replace with site specific values
dn: ou=contractor,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:organizationalUnit
ou: contractor
# entry for sample user jerry
dn: uid=jerry,ou=contractor,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: jerry
sn: jerry
uid: jerry
userPassword:jerry-password
# entry for sample user sam
dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: sam
sn: sam
uid: sam
userPassword:sam-password
# entry for sample user tom
dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: tom
sn: tom
uid: tom
userPassword:tom-password
# create FIRST Level groups branch
dn: ou=groups,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:organizationalUnit
ou: groups
description: generic groups branch
# create the analyst group under groups
dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass: groupofnames
cn: analyst
description:analyst group
member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
# create the scientist group under groups
dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass: groupofnames
cn: scientist
description: scientist group
member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
> On Nov 7, 2018, at 4:45 PM, Kevin Risden <kris...@apache.org> wrote:
>
> Assuming you are referring to something like KNOX-1307 [1]? The user search
> filter you can create can filter by groups depending on what you are trying
> to do. memberOf is one way for AD to limit users to only ones in a certain
> group.
>
> 1. https://issues.apache.org/jira/browse/KNOX-1307
> <https://issues.apache.org/jira/browse/KNOX-1307>
>
> Kevin Risden
>
>
> On Wed, Nov 7, 2018 at 4:24 PM Raja Marimuthu
> <raja.marimu...@northbaysolutions.com
> <mailto:raja.marimu...@northbaysolutions.com>> wrote:
> Hi,
>
> We are trying to filter users by specific. LDAP groups, tried several
> options provided in the documentation :
> https://knox.apache.org/books/knox-1-1-0/user-guide.html#Advanced+LDAP+Authentication
>
> <https://knox.apache.org/books/knox-1-1-0/user-guide.html#Advanced+LDAP+Authentication>
>
> User Search by Filter
> userSearchBase (Required)
> userSearchFilter (Required)
> userSearchScope (Optional)
> principalRegex (Optional)
>
>
> Group filter is supported ? Do we have any working alternative to filter.
> Users by group ?
>
> Thanks
> Raja
>
>
