Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Apache Knox LDAP configuration is not used

avatar
author-rank daba
Explorer

Created ‎12-01-2021 02:10 PM

Hello all,

 

I have installed Apache Knox on a CDP 7.1.6 cluster and switched Shiro from PAM to LDAP (as described here https://is.gd/FmexUD). The changes are also done in the providers. PAM is disabled via the authentication.param.remove switch. Nevertheless PAM (KnoxPamRealm) is used for authentication instead of LDAP (KnoxLdapRealm). Does anyone have useful hints where to look for the cause? Thanks a lot!

 

Regards,

Daniel

 

1,829 Views
0 Kudos
4 REPLIES 4

avatar
author-rank Scharan author-rank
Master Collaborator

Created ‎12-01-2021 04:49 PM

@daba Can you try adding the below lines to the Knox topology files

authentication.param.remove=main.pamRealm
authentication.param.remove=main.pamRealm.service

Refer to the following doc for more info on how to configure LDAP/AD in knox

https://docs.cloudera.com/runtime/7.2.10/knox-authentication/topics/security-knox-authe-ldap.html

1,811 Views
0 Kudos

avatar
author-rank daba
Explorer

Created ‎12-02-2021 12:12 AM

Hello @Scharan,

 

many thanks for your answer! Both parameters you mentioned are set. In the Knox Admin UI, all relevant providers also have the LDAP configuration (KnoxLdapRealm). But KnoxPamRealm is still used. It is interesting that when Knox is started, the shiro.ini with the PAM configuration is pulled from the JAR (WEB-INF/shiro.ini). Otherwise, there is no other shiro.ini in the file system that could replace it.

1,793 Views
0 Kudos

avatar
author-rank pvishnu author-rank
Expert Contributor

Created ‎12-28-2021 02:43 AM

Hi @daba,

 

Could you check the following topology file in the Knox gateway node to validate if the authentication provider change you made in the CM UI is reflected at the host level as well?

- /var/lib/knox/gateway/conf/topologies/knoxsso.xml

 

Thanks,
Prashanth Vishnu

1,703 Views
0 Kudos

avatar
author-rank daba
Explorer

Created ‎02-13-2022 11:27 PM

Hi @pvishnu,

 

thank you for your response! The ldap configuration which I made in the Cloudera Manager will not be persist in the topology file /var/lib/knox/gateway/conf/topologies/knoxsso.xml. There is still the pamRealm configuration. One solution is to manually edit the topology file, but that is not my expectation if you use Cloudera Manager.

 

Regards,

Daniel

1,613 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements