Created 05-11-2016 02:28 PM
Hi,
I have a problem with configuring LDAP/AD with Knox. The DEMO LDAP works great for both: sandbox and my own cluster. I am configuring LDAP connection using this document: Setting Up LDAP Authentication. I configured main.ldapRealm.userDnTemplate and main.ldapRealm.contextFactory.url. I tried both classes in main.ldapRealm (KnoxLdapRealm and Jndi...) I am using Ambari to make changes. The versions I use is: sandbox - 2.4.0 and my cluster 2.3.2. When I configure my LDAP - Knox keeps saying that I am unauthorized (401). The credentials are correct because I can use them to log in beeline which is also configured with LDAP + AD.
Do I need to change Advanced users-ldif section in Ambari as well?
Thank you in advance.
Created 05-11-2016 03:10 PM
If your users belong to different branches of the LDAP directory you'll need to use Advanced LDAP Authentication in the Knox topology. Review the linked doc to understand the limitations of userDnTemplate, and refer to the "Example provider config" section to understand the additional properties available.
There should be log messages in gateway.log corresponding to the 401. Those might provide more insight into the reason for the error, so please provide them if possible.
Created 05-11-2016 03:10 PM
If your users belong to different branches of the LDAP directory you'll need to use Advanced LDAP Authentication in the Knox topology. Review the linked doc to understand the limitations of userDnTemplate, and refer to the "Example provider config" section to understand the additional properties available.
There should be log messages in gateway.log corresponding to the 401. Those might provide more insight into the reason for the error, so please provide them if possible.
Created 05-11-2016 06:57 PM
Thank you very much @Alex Miller for your quick response. According to doc that you linked and log I found out that I had misconfigured userDnTemplate.
I have another problem. In my AD/LDAP I am using sAMAccountName to identify user, so I need to type at the begging of userDnTemplate something like: sAMAccountName={0},ou=... so on, but it does not recognize users. I cant use cn={0} because as a cn I use two separate words - so I will not work. I dont use uid, and I am not AD admin to add or edit anything.
Created 05-11-2016 07:24 PM