...
Supported for nested OUs and nested groups
Faster lookups
Support more complex LDAP queries
Reduce load on the LDAP/AD server (caching by SSSD)
Scenarios
There are two scenarios that were tested
...
| Code Block |
|---|
# id -a jerry uid=4001(jerry) gid=4000(engineer) groups=4000(engineer),5000(datascientist),6000(datascientist-a),7000(datascientist-b) |
...
When we try to access a resource secured by Knox using the user jerry we can see all the groups that user jerry belongs to are logged in gateway-audit.log (part of Knox logging)
| Code Block |
|---|
Groups: [datascientist-a, datascientist-b, engineer, datascientist] |
Nested OUs
Following diagram shows the nested OU structure used for testing
...
| Code Block | ||
|---|---|---|
| ||
# id -a kim uid=8001(kim) gid=8000(processors) groups=8000(processors) |
...
Similarly, when we try to access a resource secured by Knox using the user kim we get the following entry in gateway-audit.log (part of Knox logging)
...
This demonstrates that Knox can authenticate and retrieve groups against nested OUs.
Using Multiple Search Bases
...
- ou=processing,ou=data,ou=groups,dc=hadoop,dc=apache,dc=org
- ou=processing-2,ou=data,ou=groups,dc=hadoop,dc=apache,dc=org
...
sssd.conf settings (relevant) for this test are as follows:
...
| Code Block | ||
|---|---|---|
| ||
# id jon id: 'jon': no such user # id kim uid=8001(kim) gid=8000(processors) groups=8000(processors) |
...
Thanks to Eric Yang for pointing out this scenario.
...
- OpenLDAP - 2.4.40
- SSSD - 1.14.1
- Apache Knox - 0.10.0
LDAP
In order to support nesting of groups LDAP needs to support RFC 2307bis schema. For SSSD to talk to LDAP it has to be secure. Acquire a copy of the public CA certificate for the certificate authority used to sign the LDAP server certificate, you can test the certificate using the following openssl test command
...
| Code Block | ||
|---|---|---|
| ||
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver=<ldap_host> --enableldaptls --ldapbasedn=dc=my-company,dc=my-org --enableshadow --enablerfc2307bis --enablemkhomedir --enablecachecreds --update |
After the command executes you can see that sssd.conf file has been updated.
...
| Code Block | ||
|---|---|---|
| ||
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, autofs domains = default [nss] reconnection_retries = 3 homedir_substring = /home [pam] reconnection_retries = 3 [domain/default] access_provider = ldap autofs_provider = ldap chpass_provider = ldap cache_credentials = True ldap_schema = rfc2307bis id_provider = ldap auth_provider = ldap ldap_uri = ldap://<ldap_host>/ ldap_tls_cacertdir = /etc/openldap/certs ldap_id_use_start_tls = True # default bind dn ldap_default_bind_dn = cn=admin,dc=apache,dc=org ldap_default_authtok_type = password ldap_default_authtok = my_pasword ldap_search_base = dc=apache,dc=org # For group lookup ldap_group_member = member # Enable nesting ldap_group_nesting_level = 5 [sudo] [autofs] [ssh] [pac] [ifp] |
...
The important settings to note are:
...
Setting up Knox is relatively easy, install Knox on the same machine as SSSD and update the topology to use PAM based auth
| Code Block |
|---|
<param>
<name>main.pamRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value>
</param>
<param>
<name>main.pamRealm.service</name>
<value>login</value>
</param> |
...