[jira] [Work logged] (KNOX-3340) Enable KnoxLdapService Role Lookup to return either Roles or Groups

Fri, 12 Jun 2026 10:31:06 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3340?focusedWorklogId=1024944&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1024944
 ]

ASF GitHub Bot logged work on KNOX-3340:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 12/Jun/26 17:30
            Start Date: 12/Jun/26 17:30
    Worklog Time Spent: 10m 
      Work Description: handavid commented on code in PR #1258:
URL: https://github.com/apache/knox/pull/1258#discussion_r3405126452


##########
knox-site/docs/service_ldap_server.md:
##########
@@ -60,6 +60,31 @@ The duplicate user filter interceptor ensures that each 
`Entry` has a unique `ui
 
 The user search interceptor is created if the `interceptorType` configuration 
is set to `backend`. This interceptor forwards search queries to its configured 
backend.
 
+#### Roles Lookup Interceptor (`rolesLookup`)
+
+The rolesLookup interceptor is created if the `interceptorType` configuration 
is set to `rolesLookup`. This interceptor transforms the response entities 
based on the mappings provided by the Role Lookup Service. For each entity, a 
request will be made to lookup roles based on the user's name and group 
membership. These roles will replace the values in the `memberOf` attribute.
+
+The interceptor will skip role mapping for a search request if the 
RolesLookupBypassControl is set to true.
+
+For example, the control can be added to the `ldapsearch` cli using the `-e` 
option.
+```shell script
+ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com' -e 
"<oid>=<value>" '(uid=sam*)' '*'
+```
+The control is specified using it's OID. The OID used for this control is 
configurable until an official OID is generated. An OID generated from a UUID, 
e.g., `1.3.6.1.4.1.18060.2.1379319520.35362.17433.40846.265936912329953`, is 
guaranteed not to collide with existing OIDs.
+
+| Property | Default Value | Description |
+| :-

Issue Time Tracking
-------------------

    Worklog Id:     (was: 1024944)
    Time Spent: 4h  (was: 3h 50m)

> Enable KnoxLdapService Role Lookup to return either Roles or Groups
> -------------------------------------------------------------------
>
>                 Key: KNOX-3340
>                 URL: https://issues.apache.org/jira/browse/KNOX-3340
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: David Han
>            Assignee: David Han
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 4h
>  Remaining Estimate: 0h
>
> The KnoxLdapService, when configured with role lookup will replace all groups 
> in the resulting entries with roles. This Jira provides a mechanism for 
> clients to request the underlying groups instead of the roles. E.g., groups 
> would be needed for some service to admin/manage the mapping between groups 
> and roles.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to