Kevin,
I have setup AD and configured in gateway xml, but. I am having this issue…
- 2018-11-14 21:08:26,993 DEBUG knox.gateway
(GatewayFilter.java:doFilter(119)) - Received request: GET /ganglia/
2018-11-14 21:08:27,016 DEBUG knox.gateway (KnoxLdapRealm.java:getUserDn(718))
- Searching from dc=ds,dc=nb,dc=com where
(&(objectclass=*)(memberOf=cn=marsh-prd-global-bld-powerusers,OU=Applications,OU=Groups,DC=ds,DC=nb,DC=com))
scope subtree
2018-11-14 21:08:27,022 INFO knox.gateway (KnoxLdapRealm.java:getUserDn(724))
- Computed userDn: CN=Len,OU=US02P01,OU=mmc_users,DC=ds,DC=nb,DC=com using
ldapSearch for principal: len
2018-11-14 21:08:27,045 ERROR knox.gateway
(AbstractGatewayFilter.java:doFilter(66)) - Failed to execute filter:
javax.servlet.ServletException: java.lang.NullPointerException
javax.servlet.ServletException: java.lang.NullPointerException
at
org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196)
at
org.apache.shiro.web.filter.authc.AuthenticatingFilter.cleanup(AuthenticatingFilter.java:155)
at
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:148)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
Thanks
Raja
From: Kevin Risden <kris...@apache.org>
Reply-To: "user@knox.apache.org" <user@knox.apache.org>
Date: Thursday, November 8, 2018 at 5:41 PM
To: "user@knox.apache.org" <user@knox.apache.org>
Subject: Re: Knox LDAP group filer is not working
If you are using the demo LDAP server then memberOf isn't available. It is an
LDAP extension that only exists in AD. Apache DS LDAP doesn't support virtual
attributes. If you want to emulate it you would need to update the user object
with the attributes.
Kevin Risden
On Thu, Nov 8, 2018 at 5:38 PM Raja Marimuthu
<raja.marimu...@northbaysolutions.com<mailto:raja.marimu...@northbaysolutions.com>>
wrote:
Kevin,
I have tried. But its. Not working,
Here’s my gateway xml LDAP config
<param name="main.ldapRealm"
value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm" />
<param name="main.ldapContextFactory"
value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory" />
<param name="main.ldapRealm.contextFactory"
value="$ldapContextFactory" />
<param>
<name>main.ldapRealm.authorizationEnabled</name>
<value>true</value>
</param>
<param name="main.ldapRealm.contextFactory.url"
value="ldap://localhost:33389"/>
<param name="main.ldapRealm.contextFactory.systemUsername"
value="uid=admin,ou=people,dc=hadoop,dc=apache,dc=org"/>
<param name="main.ldapRealm.contextFactory.systemPassword"
value="admin-password"/>
<param name="main.ldapRealm.userSearchBase"
value="ou=people,dc=hadoop,dc=apache,dc=org"/>
<param name="main.ldapRealm.userSearchFilter"
value="(&(objectclass=person)(sAMAccountName={2})(|(memberOf=cn=contractor,dc=hadoop,dc=apache,dc=org)(memberOf=cn=scientist,ou=grouds,dc=hadoop,dc=apache,dc=org))"/>
<param name="main.ldapRealm.userObjectClass" value="person"/>
users.ldif
# Please replace with site specific values
dn: dc=hadoop,dc=apache,dc=org
objectclass: organization
objectclass: dcObject
o: Hadoop
dc: hadoop
# Entry for a sample people container
# Please replace with site specific values
dn: ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:organizationalUnit
ou: people
# Entry for a sample contractor container
# Please replace with site specific values
dn: ou=contractor,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:organizationalUnit
ou: contractor
# entry for sample user jerry
dn: uid=jerry,ou=contractor,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: jerry
sn: jerry
uid: jerry
userPassword:jerry-password
# entry for sample user sam
dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: sam
sn: sam
uid: sam
userPassword:sam-password
# entry for sample user tom
dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: tom
sn: tom
uid: tom
userPassword:tom-password
# create FIRST Level groups branch
dn: ou=groups,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:organizationalUnit
ou: groups
description: generic groups branch
# create the analyst group under groups
dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass: groupofnames
cn: analyst
description:analyst group
member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
# create the scientist group under groups
dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass: groupofnames
cn: scientist
description: scientist group
member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
On Nov 7, 2018, at 4:45 PM,
Kevin Risden
<kris...@apache.org<mailto:kris...@apache.org>> wrote:
Assuming you are referring to something like KNOX-1307 [1]? The user search
filter you can create can filter by groups depending on what you are trying to
do. memberOf is one way for AD to limit users to only ones in a certain group.
1. https://issues.apache.org/jira/browse/KNOX-1307
Kevin Risden
On Wed, Nov 7, 2018 at 4:24 PM Raja Marimuthu
<raja.marimu...@northbaysolutions.com<mailto:raja.marimu...@northbaysolutions.com>>
wrote:
Hi,
We are trying to filter users by specific. LDAP groups, tried several options
provided in the documentation :
https://knox.apache.org/books/knox-1-1-0/user-guide.html#Advanced+LDAP+Authentication
User Search by Filter
· userSearchBase (Required)
· userSearchFilter (Required)
· userSearchScope (Optional)
· principalRegex (Optional)
Group filter is supported ? Do we have any working alternative to filter.
Users by group ?
Thanks
Raja
