Support Questions

Find answers, ask questions, and share your expertise

Apache Knox LDAP configuration is not used

New Contributor

Hello all,


I have installed Apache Knox on a CDP 7.1.6 cluster and switched Shiro from PAM to LDAP (as described here The changes are also done in the providers. PAM is disabled via the authentication.param.remove switch. Nevertheless PAM (KnoxPamRealm) is used for authentication instead of LDAP (KnoxLdapRealm). Does anyone have useful hints where to look for the cause? Thanks a lot!






Super Collaborator

@daba Can you try adding the below lines to the Knox topology files


Refer to the following doc for more info on how to configure LDAP/AD in knox

New Contributor

Hello @Scharan,


many thanks for your answer! Both parameters you mentioned are set. In the Knox Admin UI, all relevant providers also have the LDAP configuration (KnoxLdapRealm). But KnoxPamRealm is still used. It is interesting that when Knox is started, the shiro.ini with the PAM configuration is pulled from the JAR (WEB-INF/shiro.ini). Otherwise, there is no other shiro.ini in the file system that could replace it.

Cloudera Employee

Hi @daba,


Could you check the following topology file in the Knox gateway node to validate if the authentication provider change you made in the CM UI is reflected at the host level as well?

- /var/lib/knox/gateway/conf/topologies/knoxsso.xml


Prashanth Vishnu

New Contributor

Hi @pvishnu,


thank you for your response! The ldap configuration which I made in the Cloudera Manager will not be persist in the topology file /var/lib/knox/gateway/conf/topologies/knoxsso.xml. There is still the pamRealm configuration. One solution is to manually edit the topology file, but that is not my expectation if you use Cloudera Manager.