[
https://issues.apache.org/jira/browse/KNOX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15419004#comment-15419004
]
Larry McCay commented on KNOX-537:
----------------------------------
Hi [~hkropp] - thank you for the patch and description of what you had to do!
What I need to know in order to review and test this is exactly what I need to
do to test an authentication on my mac given this patch. Generally, we test
against our demo LDAP server - if this is easily done using this patch then we
should do so as it will be able to run in other environments as well. If we are
better off authenticating against OS users that may work as well.
I think given those instructions that we can craft some documentation for it
that can be contributed through the site maint process described:
https://cwiki.apache.org/confluence/display/KNOX/Site+Maintenance
We will need to add an 0.10.0 book for it before we can add it though.
I can help with all of those documentation tasks.
> Linux PAM Authentication Provider
> ---------------------------------
>
> Key: KNOX-537
> URL: https://issues.apache.org/jira/browse/KNOX-537
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.5.0, 0.6.0, 0.7.0
> Environment: All
> Reporter: Jeffrey E Rodriguez
> Assignee: Henning Kropp
> Labels: knox, pam
> Fix For: 0.10.0
>
> Attachments: 0001-knox-537-add-pam-authentication-support.patch,
> KNOX-537.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> OS level PAM security provides great interface for authentication and
> authorization. For example, sssd provides support for manage Active
> Directory nested OU by adjusting ldap_group_nesting_level = 5. Knox
> configuration is configured to interact with LDAP directly, but this has two
> short cominges. First, hgh volume traffic is likely to make too many
> queries to AD without cache. Second, complex logic of LDAP queries can not
> map correctly to UserDnTemplate without adding more ldap specific logic into
> JndiLdapRealm code and parameters.
> Knox can be improved to use PAM to out source complex OS to AD interaction to
> sssd. It is possible to implement a shiro PAM plugin to reduce the complex
> LDAP logic that is starting to accumulate in Knox.
> Looks like there is a least a start for this here.
> https://github.com/plaflamme/shiro-libpam4j
> libpam4j is available via Maven and uses an MIT license
> http://mvnrepository.com/artifact/org.jvnet.libpam4j/libpam4j/1.4
> This might be a great addition to Knox.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
