[
https://issues.apache.org/jira/browse/KNOX-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14519778#comment-14519778
]
Eric Yang commented on KNOX-536:
--------------------------------
OS level PAM security provides great interface for authentication and
authorization. For example, sssd provides support for manage Active Directory
nested OU by adjusting ldap_group_nesting_level = 5. Knox configuration is
configured to interact with LDAP directly, but this has two short cominges.
First, hgh volume traffic is likely to make too many queries to AD without
cache. Second, complex logic of LDAP queries can not map correctly to
UserDnTemplate without adding more ldap specific logic into JndiLdapRealm code
and parameters.
Knox can be improved to use PAM to out source complex OS to AD interaction to
sssd. It is possible to implement a shiro PAM plugin to reduce the complex
LDAP logic that is starting to accumulate in Knox.
> LDAP authentication against nested OU
> -------------------------------------
>
> Key: KNOX-536
> URL: https://issues.apache.org/jira/browse/KNOX-536
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.5.0, 0.6.0, 0.7.0
> Environment: All
> Reporter: Jeffrey E Rodriguez
> Fix For: 0.7.0
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Knox Gateway provides HTTP BASIC authentication against an LDAP user
> directory. It currently supports only a single Organizational Unit (OU) and
> does not support nested OUs.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
