handavid commented on code in PR #1258: URL: https://github.com/apache/knox/pull/1258#discussion_r3405126452
########## knox-site/docs/service_ldap_server.md: ########## @@ -60,6 +60,31 @@ The duplicate user filter interceptor ensures that each `Entry` has a unique `ui The user search interceptor is created if the `interceptorType` configuration is set to `backend`. This interceptor forwards search queries to its configured backend. +#### Roles Lookup Interceptor (`rolesLookup`) + +The rolesLookup interceptor is created if the `interceptorType` configuration is set to `rolesLookup`. This interceptor transforms the response entities based on the mappings provided by the Role Lookup Service. For each entity, a request will be made to lookup roles based on the user's name and group membership. These roles will replace the values in the `memberOf` attribute. + +The interceptor will skip role mapping for a search request if the RolesLookupBypassControl is set to true. + +For example, the control can be added to the `ldapsearch` cli using the `-e` option. +```shell script +ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com' -e "<oid>=<value>" '(uid=sam*)' '*' +``` +The control is specified using it's OID. The OID used for this control is configurable until an official OID is generated. An OID generated from a UUID, e.g., `1.3.6.1.4.1.18060.2.1379319520.35362.17433.40846.265936912329953`, is guaranteed not to collide with existing OIDs. + +| Property | Default Value | Description | +| :--- | :--- | :--- | +| `gateway.ldap.roles.lookup.bypass.control.oid` | N/A | The OID to use for the bypass control. The control will not be registered if this value is not provided. The Knox LDAP Service will fail to initialize if the value provided is on an OID. | Review Comment: removed since OID will not be configurable -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
