...
Supported for nested OUs and nested groups
Faster lookups
Support more complex LDAP queries
Reduce load on the LDAP/AD server (caching by SSSD)
Scenarios
There are two scenarios that were tested
...
Code Block |
---|
# id -a jerry uid=4001(jerry) gid=4000(engineer) groups=4000(engineer),5000(datascientist),6000(datascientist-a),7000(datascientist-b) |
...
When we try to access a resource secured by Knox using the user jerry we can see all the groups that user jerry belongs to are logged in gateway-audit.log (part of Knox logging)
Code Block |
---|
Groups: [datascientist-a, datascientist-b, engineer, datascientist] |
Nested OUs
Following diagram shows the nested OU structure used for testing
...
Code Block | ||
---|---|---|
| ||
# id -a kim uid=8001(kim) gid=8000(processors) groups=8000(processors) |
...
Similarly, when we try to access a resource secured by Knox using the user kim we get the following entry in gateway-audit.log (part of Knox logging)
...
This demonstrates that Knox can authenticate and retrieve groups against nested OUs.
Using Multiple Search Bases
...
- ou=processing,ou=data,ou=groups,dc=hadoop,dc=apache,dc=org
- ou=processing-2,ou=data,ou=groups,dc=hadoop,dc=apache,dc=org
...
sssd.conf settings (relevant) for this test are as follows:
...
Code Block | ||
---|---|---|
| ||
# id jon id: 'jon': no such user # id kim uid=8001(kim) gid=8000(processors) groups=8000(processors) |
...
Thanks to Eric Yang for pointing out this scenario.
...
- OpenLDAP - 2.4.40
- SSSD - 1.14.1
- Apache Knox - 0.10.0
LDAP
In order to support nesting of groups LDAP needs to support RFC 2307bis schema. For SSSD to talk to LDAP it has to be secure. Acquire a copy of the public CA certificate for the certificate authority used to sign the LDAP server certificate, you can test the certificate using the following openssl test command
...
Code Block | ||
---|---|---|
| ||
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver=<ldap_host> --enableldaptls --ldapbasedn=dc=my-company,dc=my-org --enableshadow --enablerfc2307bis --enablemkhomedir --enablecachecreds --update |
After the command executes you can see that sssd.conf file has been updated.
...
Code Block | ||
---|---|---|
| ||
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, autofs domains = default [nss] reconnection_retries = 3 homedir_substring = /home [pam] reconnection_retries = 3 [domain/default] access_provider = ldap autofs_provider = ldap chpass_provider = ldap cache_credentials = True ldap_schema = rfc2307bis id_provider = ldap auth_provider = ldap ldap_uri = ldap://<ldap_host>/ ldap_tls_cacertdir = /etc/openldap/certs ldap_id_use_start_tls = True # default bind dn ldap_default_bind_dn = cn=admin,dc=apache,dc=org ldap_default_authtok_type = password ldap_default_authtok = my_pasword ldap_search_base = dc=apache,dc=org # For group lookup ldap_group_member = member # Enable nesting ldap_group_nesting_level = 5 [sudo] [autofs] [ssh] [pac] [ifp] |
...
The important settings to note are:
...
Setting up Knox is relatively easy, install Knox on the same machine as SSSD and update the topology to use PAM based auth
Code Block |
---|
<param> <name>main.pamRealm</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value> </param> <param> <name>main.pamRealm.service</name> <value>login</value> </param> |
...