(This article is work in progress)
Apache Knox provides HTTP Basic authentication against LDAP store. Knox ships with Apache Shiro authentication provider for LDAP which makes the configuration a lot easier and flexible. However there in one limitation, currently only single Organizational Unit (OU) is supported and nested OUs are not supported by Knox, using default realm – KnoxLdapRealm (KNOX-536) . Knox 0.10.0 onwards, Knox supports Linux PAM authentication provider (KNOX-537). This blog post discusses a way to set up LDAP authentication against nested OUs for Knox using PAM support provided by Knox and Linux SSSD daemon.
Some of the advantages of using this are:
Supported for nested OUs and nested groups
Faster lookups
Support more complex LDAP queries
Reduce load on the LDAP/AD server (caching by SSSD)
Setup Overview
Following diagram shows a high level set-up of the components involved.
Caveats
For nested group membership SSSD and LDAP should use rfc2307bis schema
SSSD requires SSL/TLS to talk to LDAP