I have installed Apache Knox on a CDP 7.1.6 cluster and switched Shiro from PAM to LDAP (as described here https://is.gd/FmexUD). The changes are also done in the providers. PAM is disabled via the authentication.param.remove switch. Nevertheless PAM (KnoxPamRealm) is used for authentication instead of LDAP (KnoxLdapRealm). Does anyone have useful hints where to look for the cause? Thanks a lot!
@daba Can you try adding the below lines to the Knox topology files
Refer to the following doc for more info on how to configure LDAP/AD in knox
many thanks for your answer! Both parameters you mentioned are set. In the Knox Admin UI, all relevant providers also have the LDAP configuration (KnoxLdapRealm). But KnoxPamRealm is still used. It is interesting that when Knox is started, the shiro.ini with the PAM configuration is pulled from the JAR (WEB-INF/shiro.ini). Otherwise, there is no other shiro.ini in the file system that could replace it.
Could you check the following topology file in the Knox gateway node to validate if the authentication provider change you made in the CM UI is reflected at the host level as well?
thank you for your response! The ldap configuration which I made in the Cloudera Manager will not be persist in the topology file /var/lib/knox/gateway/conf/topologies/knoxsso.xml. There is still the pamRealm configuration. One solution is to manually edit the topology file, but that is not my expectation if you use Cloudera Manager.