knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dillido...@apache.org
Subject svn commit: r1536880 - /incubator/knox/trunk/books/0.3.0/config_authn.md
Date Tue, 29 Oct 2013 20:23:51 GMT
Author: dillidorai
Date: Tue Oct 29 20:23:51 2013
New Revision: 1536880

URL: http://svn.apache.org/r1536880
Log:
added documentation note on using AD for authentication using Shiro

Modified:
    incubator/knox/trunk/books/0.3.0/config_authn.md

Modified: incubator/knox/trunk/books/0.3.0/config_authn.md
URL: http://svn.apache.org/viewvc/incubator/knox/trunk/books/0.3.0/config_authn.md?rev=1536880&r1=1536879&r2=1536880&view=diff
==============================================================================
--- incubator/knox/trunk/books/0.3.0/config_authn.md (original)
+++ incubator/knox/trunk/books/0.3.0/config_authn.md Tue Oct 29 20:23:51 2013
@@ -24,7 +24,7 @@ There are two types of providers support
 
 Authentication providers directly accept a user's credentials and validates them against
some particular user store. Federation providers, on the other hand, validate a token that
has been issued for the user by a trusted Identity Provider (IdP).
 
-The current release of Knox ships with an authentication provider based on the Apache Shiro
project and is initially configured for BASIC authentication against an LDAP store.
+The current release of Knox ships with an authentication provider based on the Apache Shiro
project and is initially configured for BASIC authentication against an LDAP store. This has
been specifically tested against Apache Directory Server and Active Directory.
 
 This section will cover the general approach to leveraging Shiro within the bundled provider
including:
 
@@ -106,6 +106,21 @@ This section discusses the LDAP configur
 
 **urls./**** - this element represents a single URL_Ant_Path_Expression and the value the
Shiro filter chain to apply to it. This particular sample indicates that all paths into the
application have the same Shiro filter chain applied. The paths are relative to the application
context path. The use of the value `authcBasic` here indicates that BASIC authentication is
expected for every path into the application. Adding an additional Shiro filter to that chain
for validating that the request isSecure() and over SSL can be achieved by changing the value
to `ssl, authcBasic`. It is not likely that you need to change this element for your environment.
 
+#### Active Directory - Special Note ####
+
+You would use LDAP configuration as documented above to authenticate against Active Directory
as well.
+
+Some Active Directory specifc things to keep in mind:
+
+Typical AD main.ldapRealm.userDnTemplate value looks slightly different, such as
+    cn={0},cn=users,DC=lab,DC=sample,dc=com
+
+Please compare this with a typical Apache DS main.ldapRealm.userDnTemplate value and make
note of the difference.
+    uid={0},ou=people,dc=hadoop,dc=apache,dc=org
+
+If your AD is configured to authenticate based on just the cn and password and does not require
user DN, you do not have to specify value for  main.ldapRealm.userDnTemplate.
+
+
 #### LDAP over SSL (LDAPS) Configuration ####
 In order to communicate with your LDAP server over SSL (again, highly recommended), you will
need to modify the topology file in a couple ways and possibly provision some keying material.
 



Mime
View raw message