Major Description
In very complex organizations the current configuration supported by KnoxLdapRealm my not be sufficient. Ideally it would be possible to:
1. Configure the LDAP search filter directly
2. Configure the LDAP search scope
3. Have portions of the search base and filter be derived from the input principal.
To clarify this, I'm thinking of provider configurations like these
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/> <param name="main.ldapRealm.userDnTemplate" value="CN={2},CN={1},DC=qa,DC=company,DC=com"/>
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/> <param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qa,DC=company,DC=com"/> <param name="main.ldapRealm.userSearchAttributeName" value="sAMAccountName"/> <param name="main.ldapRealm.userSearchAttributeTemplate" value="{2}"/>
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/> <param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qe,DC=company,DC=com"/> <param name="main.ldapRealm.userSearchFilter" value="(&(objectclass=person)(sAMAccountName={2}))"/>
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/> <param name="main.ldapRealm.userSearchBase" value="CN={1},DC=qe,DC=company,DC=com"/> <param name="main.ldapRealm.userSearchFilter" value="(&(objectclass=person)(sAMAccountName={2}))"/> <param name="main.ldapRealm.userSearchScope" value="onelevel"/>
<param name="main.ldapRealm.principalRegex" value="(.*?)\\(.*)"/> <param name="main.ldapRealm.userSearchBase" value="CN={2},CN={1},DC=qa,DC=company,DC=com"/> <param name="main.ldapRealm.userSearchScope" value="object"/>