The default LDAP authentication type is configured by adding the following
authentication provider to the cluster's topology file. When enabled, the Knox Gateway
authenticates users against the configured LDAP store by binding to the User Distinguished
Name (UserDN) that is defined by the pattern specified in the
UserDnTemplate
. Use this provider to authenticate users who have to
the same UserDN pattern.
To authenticate users that are in different branches of the LDAP Directory Information Tree (DIT), who have a login token that is not part of the UserDN, or to lookup group membership, see Advanced LDAP Configuration.
Note | |
---|---|
|
To enable LDAP authentication:
Open the cluster topology descriptor file,
, in a text editor.$cluster-name
.xmlAdd the
ShiroProvider
authentication provider to/topology/gateway
as follows:<provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> <param> <name>main.ldapRealm</name> <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value> </param> <name>main.ldapRealm.userDnTemplate</name> <value>$USER_DN</value> </param> <name>main.ldapRealm.contextFactory.url</name> <value>$protocol://$ldaphost:$port</value> </param> <name>main.ldapRealm.contextFactory.authenticationMechanism</name> <value>simple</value> </param> <name>urls./**</name> <value>$auth_type</value> </param> <name>sessionTimeout</name> <value>$minutes</value> </param> </provider>
where the following variables are specific to your environment:
$USER_DN
is a comma separated list of attribute and value pairs that define the User Distinguished Name (DN). The first pair must be set to "$attribute_name
={0}" indicating that the$attribute_name
is equal to the user token parsed from the request.For example, the first attribute in an OpenLdap definition is
UID={0}
. Themain.ldapRealm.userDnTemplate
parameter is only required when authenticating against an LDAP store that requires a full User DN.$protocol
://$ldaphost
:$port
is the URL of the LDAP service, Knox Gateway supports LDAP or LDAPS protocols. When using SSL specify the protocol asldaps
and if using a self-signed certificate, ensure that the client verification certificate is installed on the Knox server.$auth_type
is eitherauthcBasic
which provides basic authentication for both secured and non-secured requests orssl, authcBasic
which rejects non-secured requests and provides basic authentication of secured requests.$minutes
is the session idle time in minutes, the default timeout is 30 minutes.
Save the file.
The gateway creates a new WAR file with modified timestamp in
/var/lib/knox/data/deployments
.