Just adding some assistance to the Solr-LDAP integration options. A colleague of mine wrote a plugin that adopts a similar approach to the one Jan suggested of "plugging-in" an LDAP provider.
He provides the following notes on its design and use 1. It authenticates with LDAP on every request which can be expensive. In the same repo he's written an optimisation for a gremlin-ldap-plugin that can probably be ported here (Once LDAP successfully authenticates, caches credentials locally by BCrypt hashing it and using the cached hash to validate subsequent requests until cache timeout which is when it goes back to LDAP again. So, any password changes in LDAP are reflected correctly. This caching can be turned on and off with a param based on how expensive the LDAP auth is). 2. He had to copy large swaths of code from org.apache.solr.security.RuleBasedAuthorizationPlugin into the ldap authorisation plugin because the Solr class is not extensible. A refactor the class to make the extension easier would prevent this. 3. Finally, the inter-node authentication. Need to look into it to see if there is a mechanism to extend the inter-node auth to include roles in the payload so that LDAP role look up isn’t happening on every node that request ends up hitting. But if someone really wants LDAP integration they can use it as is. It's a good starting point anyway. (https://github.com/vjgorla/solr-ldap-plugin) Thanks, Dwane ________________________________ From: Jan Høydahl <jan....@cominvent.com> Sent: Monday, 7 September 2020 5:21 PM To: solr-user@lucene.apache.org <solr-user@lucene.apache.org> Subject: Re: BasicAuth help That github patch is interesting. My initial proposal for how to plug LDAP into Solr was to make the AuthenticationProvider pluggable in BasicAuthPlugin, so you could plug in an LDAPAuthProvider. See https://issues.apache.org/jira/browse/SOLR-8951 <https://issues.apache.org/jira/browse/SOLR-8951>. No need to replace the whole BasicAuth class I think. Anyone who wants to give it a shot, borrowing some code from the ldap_solr repo, feel free :) Jan > 4. sep. 2020 kl. 09:43 skrev Aroop Ganguly <aroopgang...@icloud.com.INVALID>: > > Try looking at a simple ldap authentication suggested here: > https://github.com/itzmestar/ldap_solr > <https://github.com/itzmestar/ldap_solr> > You can combine this for authentication and couple it with rule based > authorization. > > > >> On Aug 28, 2020, at 12:26 PM, Vanalli, Ali A - DOT <ali.vana...@dot.wi.gov >> <mailto:ali.vana...@dot.wi.gov>> wrote: >> >> Hello, >> >> Solr is running on windows machine and wondering if it possible to setup >> BasicAuth with the LDAP? >> >> Also, tried the example of Basic-Authentication that is published >> here<https://lucene.apache.org/solr/guide/8_6/rule-based-authorization-plugin.html#rule-based-authorization-plugin >> >> <https://lucene.apache.org/solr/guide/8_6/rule-based-authorization-plugin.html#rule-based-authorization-plugin>> >> but this did not work too. >> >> Thanks...Ali >> >> >
