[ https://issues.apache.org/jira/browse/KNOX-242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13995332#comment-13995332 ]
Vinay Shukla commented on KNOX-242: ----------------------------------- Paul, Let's keep security SME in the loop. I believe Rommel can provide the answer from the current POR source for Security https://hortonworks.jira.com/browse/RMP-1478 -Vinay -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. > knox needs to support basedn, search attribute based LDAP authentication > ------------------------------------------------------------------------- > > Key: KNOX-242 > URL: https://issues.apache.org/jira/browse/KNOX-242 > Project: Apache Knox > Issue Type: Improvement > Components: Server > Reporter: Dilli Arumugam > Assignee: Dilli Arumugam > > To set the context, here is the authentication provider specification in a > Knox topology file: > <provider> > <role>authentication</role> > <enabled>true</enabled> > <name>ShiroProvider</name> > <param> > <name>main.ldapRealm</name> > <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value> > </param> > <param> > <name>main.ldapRealm.userDnTemplate</name> > <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> > </param> > <param> > <name>main.ldapRealm.contextFactory.url</name> > <value>ldap://localhost:33389</value> > </param> > <param> > > <name>main.ldapRealm.contextFactory.authenticationMechanism</name> > <value>simple</value> > </param> > <param> > <name>urls./**</name> > <value>authcBasic</value> > </param> > </provider> > This allows configurable userDnTemplate to infer the bindDN based on the > authenticating user name. > However, in enterprise use cases, it is not always possible to infer bindDN > based on authenticating username using a template like this. > We have to do a search in the directory based on the userName mapped to a > configurable attribute name to find the userDN. This means, we should add > at least one additional configuration parameter such as > userSearchTemplate. > An example value for userSearchTemplate > (&(uid={0})(objectclass=inetorgperson)) > BaseDN for search can be specified as part of > contextFactory.url -- This message was sent by Atlassian JIRA (v6.2#6252)