...
There are two scenarios that were tested
- Nested groups
- Nested OUs
- Using Multiple Search Bases
Nested Groups
Following diagram represents a nested groups structure used for testing
...
This demonstrates that Knox can authenticate and retrieve groups against nested OUs.
Using Multiple Search Bases
Following diagram shows nested parallel OUs (processing and processing-2)
In this test we will configure two different search bases
- ou=processing,ou=data,ou=groups,dc=hadoop,dc=apache,dc=org
- ou=processing-2,ou=data,ou=groups,dc=hadoop,dc=apache,dc=org
sssd.conf settings (relevant) for this test are as follows:
Code Block | ||
---|---|---|
| ||
[sssd]
....
domains = default, processing2
....
[domain/default]
....
ldap_search_base = ou=processing,ou=data,ou=groups,dc=hadoop,dc=apache,dc=org
....
[domain/processing2]
....
ldap_search_base = ou=processing-2,ou=data,ou=groups,dc=hadoop,dc=apache,dc=org
....
|
To check whether SSSD correctly picks up our users we use the id command
Code Block | ||
---|---|---|
| ||
# id kim
uid=8001(kim) gid=8000(processors) groups=8000(processors)
# id jon
uid=9001(jon) gid=9000(processors-2) groups=9000(processors-2) |
Similarly, when we try to access a resource secured by Knox using the user kim and jon we get the following entry in gateway-audit.log (part of Knox logging)
Code Block | ||
---|---|---|
| ||
for kim
success|Groups: [processors]
for jon
success|Groups: [processors-2] |
Thanks to Eric Yang for pointing out this scenario.
Setup Overview
Following diagram shows a high level set-up of the components involved.
...