>From [1], the userSearchFilter needs to have a reference to the user who is logged in. Basically what you are trying to do with the userSearchFilter is only allow the user to login if the user matches the query. When you do the search filter without a reference to the user who is trying to login you are basically just grabbing all users that match the query. This is not what you want. The principalRegex has capture groups that you can use in the userSearchFilter to build out the query to match for the given username and filter.
1. https://knox.apache.org/books/knox-1-1-0/user-guide.html#Advanced+LDAP+configuration+parameters Kevin Risden On Mon, Nov 26, 2018 at 3:53 PM Raja Marimuthu < [email protected]> wrote: > Anyone have experienced this issue ? Using LDAP group filter with AD ? > > > > Logged in user is different, but it’s. taking first user from the group as > computer userDN , and throws. Null pointer . > > > > > > > > > > > > Raja Marimuthu | Solutions Architect (AWS – Big Data) > > NorthBay Solutions > > Direct: 717-808-6966 > > [email protected] > <[email protected]> > > www.northbaysolutions.com > > > > > > *From: *Raja Marimuthu <[email protected]> > *Date: *Wednesday, November 14, 2018 at 4:37 PM > *To: *"[email protected]" <[email protected]> > *Subject: *Re: Knox LDAP group filer is not working > > > > Kevin, > > > > I have setup AD and configured in gateway xml, but. I am having this issue… > > > > - 2018-11-14 21:08:26,993 DEBUG knox.gateway > (GatewayFilter.java:doFilter(119)) - Received request: GET /ganglia/ > > 2018-11-14 21:08:27,016 DEBUG knox.gateway > (KnoxLdapRealm.java:getUserDn(718)) - Searching from dc=ds,dc=nb,dc=com > where > (&(objectclass=*)(memberOf=cn=marsh-prd-global-bld-powerusers,OU=Applications,OU=Groups,DC=ds,DC=nb,DC=com)) > scope subtree > > 2018-11-14 21:08:27,022 INFO knox.gateway > (KnoxLdapRealm.java:getUserDn(724)) - Computed userDn: > CN=Len,OU=US02P01,OU=mmc_users,DC=ds,DC=nb,DC=com using ldapSearch for > principal: len > > 2018-11-14 21:08:27,045 ERROR knox.gateway > (AbstractGatewayFilter.java:doFilter(66)) - Failed to execute filter: > javax.servlet.ServletException: java.lang.NullPointerException > > javax.servlet.ServletException: java.lang.NullPointerException > > at > org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196) > > at > org.apache.shiro.web.filter.authc.AuthenticatingFilter.cleanup(AuthenticatingFilter.java:155) > > at > org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:148) > > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) > > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) > > at > org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) > > at > org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) > > at > org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) > > at > org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) > > at > org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) > > at > org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) > > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) > > > > > > Thanks > > Raja > > > > > > > > > *From:Kevin Risden <[email protected] <[email protected]>> Reply-To: > "[email protected] <[email protected]>" <[email protected] > <[email protected]>> Date: Thursday, November 8, 2018 at 5:41 PM To: > "[email protected] <[email protected]>" <[email protected] > <[email protected]>> Subject: Re: Knox LDAP group filer is not working* > > > > If you are using the demo LDAP server then memberOf isn't available. It is > an LDAP extension that only exists in AD. Apache DS LDAP doesn't support > virtual attributes. If you want to emulate it you would need to update the > user object with the attributes. > > > Kevin Risden > > > > > > On Thu, Nov 8, 2018 at 5:38 PM Raja Marimuthu < > [email protected]> wrote: > > Kevin, > > > > I have tried. But its. Not working, > > > > Here’s my gateway xml LDAP config > > > > > > > > > > > > > > <param name="main.ldapRealm" > value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm" /> > > <param name="main.ldapContextFactory" > value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory" /> > > <param name="main.ldapRealm.contextFactory" > value="$ldapContextFactory" /> > > <param> > > <name>main.ldapRealm.authorizationEnabled</name> > > <value>true</value> > > </param> > > <param name="main.ldapRealm.contextFactory.url" > value="ldap://localhost:33389"/> > > <param name="main.ldapRealm.contextFactory.systemUsername" > value="uid=admin,ou=people,dc=hadoop,dc=apache,dc=org"/> > > <param name="main.ldapRealm.contextFactory.systemPassword" > value="admin-password"/> > > <param name="main.ldapRealm.userSearchBase" > value="ou=people,dc=hadoop,dc=apache,dc=org"/> > > <param name="main.ldapRealm.userSearchFilter" > value="(&(objectclass=person)(sAMAccountName={2})(|(memberOf=cn=contractor,dc=hadoop,dc=apache,dc=org)(memberOf=cn=scientist,ou=grouds,dc=hadoop,dc=apache,dc=org))"/> > > <param name="main.ldapRealm.userObjectClass" value="person"/> > > > > > > > > > > users.ldif > > > > > > > > > > > > # Please replace with site specific values > > dn: dc=hadoop,dc=apache,dc=org > > objectclass: organization > > objectclass: dcObject > > o: Hadoop > > dc: hadoop > > > > # Entry for a sample people container > > # Please replace with site specific values > > dn: ou=people,dc=hadoop,dc=apache,dc=org > > objectclass:top > > objectclass:organizationalUnit > > ou: people > > > > # Entry for a sample contractor container > > # Please replace with site specific values > > dn: ou=contractor,dc=hadoop,dc=apache,dc=org > > objectclass:top > > objectclass:organizationalUnit > > ou: contractor > > > > # entry for sample user jerry > > dn: uid=jerry,ou=contractor,dc=hadoop,dc=apache,dc=org > > objectclass:top > > objectclass:person > > objectclass:organizationalPerson > > objectclass:inetOrgPerson > > cn: jerry > > sn: jerry > > uid: jerry > > userPassword:jerry-password > > > > > > # entry for sample user sam > > dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org > > objectclass:top > > objectclass:person > > objectclass:organizationalPerson > > objectclass:inetOrgPerson > > cn: sam > > sn: sam > > uid: sam > > userPassword:sam-password > > > > # entry for sample user tom > > dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org > > objectclass:top > > objectclass:person > > objectclass:organizationalPerson > > objectclass:inetOrgPerson > > cn: tom > > sn: tom > > uid: tom > > userPassword:tom-password > > > > # create FIRST Level groups branch > > dn: ou=groups,dc=hadoop,dc=apache,dc=org > > objectclass:top > > objectclass:organizationalUnit > > ou: groups > > description: generic groups branch > > > > # create the analyst group under groups > > dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org > > objectclass:top > > objectclass: groupofnames > > cn: analyst > > description:analyst group > > member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org > > member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org > > > > > > # create the scientist group under groups > > dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org > > objectclass:top > > objectclass: groupofnames > > cn: scientist > > description: scientist group > > member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org > > > > > > > > On Nov 7, 2018, at 4:45 PM, > > Kevin Risden > > <[email protected]> wrote: > > > > Assuming you are referring to something like KNOX-1307 [1]? The user > search filter you can create can filter by groups depending on what you are > trying to do. memberOf is one way for AD to limit users to only ones in a > certain group. > > > > 1. https://issues.apache.org/jira/browse/KNOX-1307 > > > Kevin Risden > > > > > > On Wed, Nov 7, 2018 at 4:24 PM Raja Marimuthu < > [email protected]> wrote: > > Hi, > > > > We are trying to filter users by specific. LDAP groups, tried several > options provided in the documentation : > > > https://knox.apache.org/books/knox-1-1-0/user-guide.html#Advanced+LDAP+Authentication > > > > User Search by Filter > > · userSearchBase (Required) > > · userSearchFilter (Required) > > · userSearchScope (Optional) > > · principalRegex (Optional) > > > > > > Group filter is supported ? Do we have any working alternative to > filter. Users by group ? > > > > Thanks > > Raja > > > > > > > >
