You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

(This article is work in progress)

Apache Knox provides HTTP Basic authentication against LDAP store. Knox ships with Apache Shiro authentication provider for LDAP which makes the configuration a lot easier and flexible. However there in one limitation, currently only single Organizational Unit (OU) is supported and nested OUs are not supported by Knox, using default realm – KnoxLdapRealm (KNOX-536) . Knox 0.10.0 onwards, Knox supports Linux PAM authentication provider (KNOX-537). This blog post discusses a way to set up LDAP authentication against nested OUs for Knox using PAM support provided by Knox and Linux SSSD daemon.

Some of the advantages of using this are:

  • Supported for nested OUs and nested groups

  • Faster lookups

  • Support more complex LDAP queries

  • Reduce load on the LDAP/AD server (caching by SSSD)

Setup Overview

Following diagram shows a high level set-up of the components involved.

 

 

 

 

Caveats

  • For nested group membership SSSD and LDAP should use rfc2307bis schema

  • SSSD requires SSL/TLS to talk to LDAP

 

  • No labels