Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Configuration knox with active directory does not work

Configuration knox with active directory does not work

New Contributor

Hello

We are trying to install and configure knox with active directory on Ambari 2.5.2.

We use ldapsearch to test the connection of a user with AD and it works. But with this user we can't connect to knox.

The knoxsso.xml config file is

<topology>
    <gateway>
        <provider>
            <role>webappsec</role>
            <name>WebAppSec</name>
            <enabled>true</enabled>
            <param><name>xframe.options.enabled</name><value>true</value></param>
        </provider>

        <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
                <name>sessionTimeout</name>
                <value>30</value>
            </param>
            <param>
                <name>redirectToUrl</name>
                <value>/gateway/knoxsso/knoxauth/login.html</value>
            </param>
            <param>
                <name>restrictedCookies</name>
                <value>rememberme,WWW-Authenticate</value>
            </param>
            <param>
                <name>main.ldapRealm</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
                <name>main.ldapContextFactory</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory</name>
                <value>$ldapContextFactory</value>
            </param>
            <param>
                <name>main.ldapRealm.userDnTemplate</name>
                <value>cn={0},OU=ouDSA,OU=ouUsers,OU=ouAdmins,DC=mickey,DC=int</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.url</name>
                <value>ldaps://vpbsdcibs301.mickey.int:636</value>
            </param>
            <param>
                <name>main.ldapRealm.authenticationCachingEnabled</name>
                <value>false</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                <value>simple</value>
            </param>
            <param>
                <name>urls./**</name>
                <value>authcBasic</value>
            </param>
        </provider>

        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
        </provider>
    </gateway>

    <application>
      <name>knoxauth</name>
    </application>

    <service>
        <role>KNOXSSO</role>
        <param>
            <name>knoxsso.cookie.secure.only</name>
            <value>true</value>
        </param>
        <param>
            <name>knoxsso.token.ttl</name>
            <value>30000</value>
        </param>
        <param>
           <name>knoxsso.redirect.whitelist.regex</name>
           <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
        </param>
    </service>

</topology>

And the log file gives the following errors :

2017-11-08 15:27:41,877 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(691)) - Computed userDn: cn=frea,OU=ouDSA,OU=ouUsers,OU=ouAdmins,DC=mickey,DC=int using dnTemplate for principal: frea
2017-11-08 15:27:41,970 INFO service.knoxsso (WebSSOResource.java:getCookieValue(318)) - Unable to find cookie with name: original-url
2017-11-08 15:27:41,970 ERROR service.knoxsso (WebSSOResource.java:getAuthenticationToken(172)) - The original URL: undefined for redirecting back after authentication is not valid according to the configured whitelist: ^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$. See documentation for KnoxSSO Whitelisting.


Any help would highly appreciated :-)

LR

2 REPLIES 2

Re: Configuration knox with active directory does not work

Contributor

Hi,

According to log:

<name>knoxsso.redirect.whitelist.regex</name>           <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*{replace0}lt;/value>

make sure have correct knoxsso.redirect.whitelist.regex.

Description: A semicolon-separated list of regex expressions. The incoming originalUrl must match one of the expressions in order for KnoxSSO to redirect to it after authentication. The default allows only relative paths and localhost with or without SSL for development usecases. This needs to be opened up for production use and actual participating applications. Note that cookie use is still constrained to redirect destinations in the same domain as the KnoxSSO service - regardless of the expressions specified here.

NOTE: LDAP Authentication for Ambari must be enabled for Knox SSO. The LDAP server needs to be sync’d into the Ambari truststore.

Ex:

              <param>
 <name>knoxsso.redirect.whitelist.regex</name>
 <value>^https?:\/\/(node1\.openstacklocal|172\.26\.113\.193|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
 </param>
Highlighted

Re: Configuration knox with active directory does not work

Cloudera Employee

Hi

I've experienced this kind of problem in DPS 1.1.0 version.

If the original URL without a port(for example. https://192.168.10.10). The regex should be the following.

<value>^https?:\/\/(node1.openstacklocal|172.26.113.193|localhost|127.0.0.1|0:0:0:0:0:0:0:1|::1)(:[0-9])*.*$</value>

Hope this helps.