[jira] [Commented] (KNOX-242) knox needs to support basedn, search attribute based LDAP authentication

Mon, 12 May 2014 14:08:28 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13995565#comment-13995565
 ] 

Dilli Arumugam commented on KNOX-242:
-------------------------------------

Hi Paul,

Adding the enhancement can be done in about a week with another week for
documentation from a developer perspective.

Getting this into a release could take longer.

CCing Kevin and Vinay.

Thanks
Dilli




-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.


> knox needs to support basedn,  search attribute based LDAP authentication
> -------------------------------------------------------------------------
>
>                 Key: KNOX-242
>                 URL: https://issues.apache.org/jira/browse/KNOX-242
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Dilli Arumugam
>            Assignee: Dilli Arumugam
>
> To set the context,  here is the authentication provider specification in a 
> Knox topology file:
>  <provider>
>             <role>authentication</role>
>             <enabled>true</enabled>
>             <name>ShiroProvider</name>
>             <param>
>                 <name>main.ldapRealm</name>
>                 <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.userDnTemplate</name>
>                 <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.contextFactory.url</name>
>                 <value>ldap://localhost:33389</value>
>             </param>
>             <param>
>                 
> <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
>                 <value>simple</value>
>             </param>
>             <param>
>                 <name>urls./**</name>
>                 <value>authcBasic</value>
>             </param>
>         </provider>
> This allows configurable userDnTemplate to infer the bindDN based on the  
> authenticating user name.
> However,  in enterprise use cases,  it is not always possible to infer bindDN 
> based on authenticating username using a template like this.
> We have to do a search in the directory based on the userName mapped to a 
> configurable attribute name to find the userDN.  This means,  we should add 
> at least one additional configuration parameter such as 
> userSearchTemplate.
> An example value for userSearchTemplate
> (&(uid={0})(objectclass=inetorgperson))
> BaseDN for search can be specified as part of
> contextFactory.url



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to