If you are using the demo LDAP server then memberOf isn't available. It is an LDAP extension that only exists in AD. Apache DS LDAP doesn't support virtual attributes. If you want to emulate it you would need to update the user object with the attributes.
Kevin Risden On Thu, Nov 8, 2018 at 5:38 PM Raja Marimuthu < raja.marimu...@northbaysolutions.com> wrote: > Kevin, > > I have tried. But its. Not working, > > Here’s my gateway xml LDAP config > > > > > > > <param name="main.ldapRealm" > value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm" /> > <param name="main.ldapContextFactory" > value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory" /> > <param name="main.ldapRealm.contextFactory" > value="$ldapContextFactory" /> > <param> > <name>main.ldapRealm.authorizationEnabled</name> > <value>true</value> > </param> > <param name="main.ldapRealm.contextFactory.url" value=" > ldap://localhost:33389"/> > <param name="main.ldapRealm.contextFactory.systemUsername" > value="uid=admin,ou=people,dc=hadoop,dc=apache,dc=org"/> > <param name="main.ldapRealm.contextFactory.systemPassword" > value="admin-password"/> > <param name="main.ldapRealm.userSearchBase" > value="ou=people,dc=hadoop,dc=apache,dc=org"/> > <param name="main.ldapRealm.userSearchFilter" > value="(&(objectclass=person)(sAMAccountName={2})(|(memberOf=cn=contractor,dc=hadoop,dc=apache,dc=org)(memberOf=cn=scientist,ou=grouds,dc=hadoop,dc=apache,dc=org))"/> > <param name="main.ldapRealm.userObjectClass" value="person"/> > > > > > users.ldif > > > > > > # Please replace with site specific values > dn: dc=hadoop,dc=apache,dc=org > objectclass: organization > objectclass: dcObject > o: Hadoop > dc: hadoop > > # Entry for a sample people container > # Please replace with site specific values > dn: ou=people,dc=hadoop,dc=apache,dc=org > objectclass:top > objectclass:organizationalUnit > ou: people > > # Entry for a sample contractor container > # Please replace with site specific values > dn: ou=contractor,dc=hadoop,dc=apache,dc=org > objectclass:top > objectclass:organizationalUnit > ou: contractor > > # entry for sample user jerry > dn: uid=jerry,ou=contractor,dc=hadoop,dc=apache,dc=org > objectclass:top > objectclass:person > objectclass:organizationalPerson > objectclass:inetOrgPerson > cn: jerry > sn: jerry > uid: jerry > userPassword:jerry-password > > > # entry for sample user sam > dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org > objectclass:top > objectclass:person > objectclass:organizationalPerson > objectclass:inetOrgPerson > cn: sam > sn: sam > uid: sam > userPassword:sam-password > > # entry for sample user tom > dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org > objectclass:top > objectclass:person > objectclass:organizationalPerson > objectclass:inetOrgPerson > cn: tom > sn: tom > uid: tom > userPassword:tom-password > > # create FIRST Level groups branch > dn: ou=groups,dc=hadoop,dc=apache,dc=org > objectclass:top > objectclass:organizationalUnit > ou: groups > description: generic groups branch > > # create the analyst group under groups > dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org > objectclass:top > objectclass: groupofnames > cn: analyst > description:analyst group > member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org > member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org > > > # create the scientist group under groups > dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org > objectclass:top > objectclass: groupofnames > cn: scientist > description: scientist group > member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org > > > > On Nov 7, 2018, at 4:45 PM, > Kevin Risden > <kris...@apache.org> wrote: > > Assuming you are referring to something like KNOX-1307 [1]? The user > search filter you can create can filter by groups depending on what you are > trying to do. memberOf is one way for AD to limit users to only ones in a > certain group. > > 1. https://issues.apache.org/jira/browse/KNOX-1307 > > Kevin Risden > > > On Wed, Nov 7, 2018 at 4:24 PM Raja Marimuthu < > raja.marimu...@northbaysolutions.com> wrote: > >> Hi, >> >> We are trying to filter users by specific. LDAP groups, tried several >> options provided in the documentation : >> >> https://knox.apache.org/books/knox-1-1-0/user-guide.html#Advanced+LDAP+Authentication >> >> User Search by Filter >> >> - userSearchBase (Required) >> - userSearchFilter (Required) >> - userSearchScope (Optional) >> - principalRegex (Optional) >> >> >> >> Group filter is supported ? Do we have any working alternative to >> filter. Users by group ? >> >> Thanks >> Raja >> >> >> >
