[
https://issues.apache.org/jira/browse/KNOX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15419853#comment-15419853
]
Henning Kropp edited comment on KNOX-537 at 8/13/16 9:06 AM:
-------------------------------------------------------------
[~lmccay], the interactive test in {KnoxPamRealmTest.java} was designed for
testing on your local Mac. Just run it in in your favorite IDE and authenticate
with your user. It is really that simple.
I agree, that it would be preferred to integrate it in the current example/test
with the Knox LDAP, for demonstration, documentation, and tests. I worked a bit
on that and attache the steps required to this Jira.
Some of the changes are:
1. Required packages
{code}
yum install -y pam_ldap nss-pam-ldapd openldap-clients
{code}
2. Configuration of pam_ldap
3. The users in users.ldif need POSIX attributes like uidNumber, gidNumber, ...
3.1 NIS schema needs to be enabled in the Apache Directory like:
{code}
schemaManager.enable("nis");
{code}
3.2 ldapmodify for the sam user:
{code}
dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
changetype: modify
add: objectclass
objectclass: posixAccount
-
add: objectclass
objectclass: shadowAccount
-
add: uidNumber
uidNumber: 10001
....
{code}
4. Create a pam.xml topologie
I was successful in doing this in my environment, but have difficulties
building the Knox test VM. I hope the steps in the upcoming document will help
to to implement this as part of the Knox deployment.
Thanks for making me aware of the LDAP improvments, I will see how my feedback
might be of any value.
was (Author: hkropp):
[~lmccay], the interactive test in {KnoxPamRealmTest.java} was designed for
testing on your local Mac. Just run it in in your favorite IDE and authenticate
with your user. It is really that simple.
I agree, that it would be preferred to integrate it in the current example/test
with the Knox LDAP, for demonstration, documentation, and tests. I worked a bit
on that and attache the steps required to this Jira.
Some of the changes are:
1. Required packages
[code]
yum install -y pam_ldap nss-pam-ldapd openldap-clients
[code]
2. Configuration of pam_ldap
3. The users in users.ldif need POSIX attributes like uidNumber, gidNumber, ...
3.1 NIS schema needs to be enabled in the Apache Directory like:
[code]
schemaManager.enable("nis");
[code]
3.2 ldapmodify for the sam user:
[code]
dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
changetype: modify
add: objectclass
objectclass: posixAccount
-
add: objectclass
objectclass: shadowAccount
-
add: uidNumber
uidNumber: 10001
....
[code]
4. Create a pam.xml topologie
I was successful in doing this in my environment, but have difficulties
building the Knox test VM. I hope the steps in the upcoming document will help
to to implement this as part of the Knox deployment.
Thanks for making me aware of the LDAP improvments, I will see how my feedback
might be of any value.
> Linux PAM Authentication Provider
> ---------------------------------
>
> Key: KNOX-537
> URL: https://issues.apache.org/jira/browse/KNOX-537
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.5.0, 0.6.0, 0.7.0
> Environment: All
> Reporter: Jeffrey E Rodriguez
> Assignee: Henning Kropp
> Labels: knox, pam
> Fix For: 0.10.0
>
> Attachments: 0001-knox-537-add-pam-authentication-support.patch,
> KNOX-537.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> OS level PAM security provides great interface for authentication and
> authorization. For example, sssd provides support for manage Active
> Directory nested OU by adjusting ldap_group_nesting_level = 5. Knox
> configuration is configured to interact with LDAP directly, but this has two
> short cominges. First, hgh volume traffic is likely to make too many
> queries to AD without cache. Second, complex logic of LDAP queries can not
> map correctly to UserDnTemplate without adding more ldap specific logic into
> JndiLdapRealm code and parameters.
> Knox can be improved to use PAM to out source complex OS to AD interaction to
> sssd. It is possible to implement a shiro PAM plugin to reduce the complex
> LDAP logic that is starting to accumulate in Knox.
> Looks like there is a least a start for this here.
> https://github.com/plaflamme/shiro-libpam4j
> libpam4j is available via Maven and uses an MIT license
> http://mvnrepository.com/artifact/org.jvnet.libpam4j/libpam4j/1.4
> This might be a great addition to Knox.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
