[jira] [Commented] (KNOX-536) LDAP authentication against nested OU

Mon, 31 Oct 2016 11:18:15 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15622924#comment-15622924
 ] 

Larry McCay commented on KNOX-536:
----------------------------------

Moving this out to 0.11.0.

As I began to test the use of PAM support as the resolution of this issue, it 
became less and less obvious as to whether we need direct support for a 
mechanism that can allow this or whether it makes sense to have a whole recipe 
for accomplishing this usecase.

For instance, from what [~eyang] has described in the comments above, it seems 
that it may not be sufficient to use the PAM module for a nested OUs usecase. 
I'm not sure whether I am interpreting the significance of the need to flatten 
out the hierarchy in his description properly or not. I read it as saying that 
while the use of a PAM module with LDAP might give you the capability that you 
need, it may be too brittle for organization change when users move from one 
branch to another. This is why they leverage pam_sss and SSSD to flatten the 
structure across multiple LDAP instances.

At any rate, I am moving this out so that we can close down on the 0.10.0 
release without being blocked by this. We should continue the discussion on two 
fronts:

1. whether we do have the ability to do authentication and group lookup with 
nested OUs - with or without weaknesses/constraints
2. whether we can articulate and provide a best practices wiki or documentation 
for how to address any weaknesses/constraints that are in #1.

> LDAP authentication against nested OU
> -------------------------------------
>
>                 Key: KNOX-536
>                 URL: https://issues.apache.org/jira/browse/KNOX-536
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.5.0, 0.6.0, 0.7.0
>         Environment: All
>            Reporter: Jeffrey E  Rodriguez
>             Fix For: 0.11.0
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Knox Gateway provides HTTP BASIC authentication against an LDAP user 
> directory. It currently supports only a single Organizational Unit (OU) and 
> does not support nested OUs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to