Details
Major Description
When in the topology we place ssl authcBasic or authcBasic along with the
context factory using ldaps protocol we are unable to get Knox working.
When we try using Knox with curl Knox generates HTTP Error 503.
curl -i -k -u ad_user:P@ssword 'https://<Knox_SERVER_Hostname>:<KNOX_PORT>/gateway/default/templeton/v1/status'
Corresponding logs from Knox gateway are :
2016-08-15 17:12:41,971 DEBUG ldap.JndiLdapRealm (JndiLdapRealm.java:queryForAuthenticationInfo(369)) - Authenticating user 'ad_user' through LDAP 2016-08-15 17:12:41,972 DEBUG ldap.JndiLdapContextFactory (JndiLdapContextFactory.java:getLdapContext(488)) - Initializing LDAP context using URL [ldaps://ldapURL:636] and principal [CN=CN_NAME,OU=Admin ,OU=MyUnit,DC=MyCompany,DC=local] with pooling enabled 2016-08-15 17:12:41,980 DEBUG servlet.SimpleCookie (SimpleCookie.java:addCookieHeader(226)) - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Sun, 14-Aug-2016 17:12:41 GMT] 2016-08-15 17:12:41,980 DEBUG authc.BasicHttpAuthenticationFilter (BasicHttpAuthenticationFilter.java:sendChallenge(274)) - Authentication required: sending 401 Authentication challenge response. 2016-08-15 17:12:41,980 DEBUG server.Server (Server.java:handle(367)) - RESPONSE /gateway/default/templeton/v1/status 401 handled=true
The configuration we are using for Knox topology related to authencation are following
<param>
<name>urls./**</name>
<value>ssl authcBasic</value>
<!-- Also tried with authcBasic -->
<!-- change this to authBasic with ldap and port to 389 it works-->
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldaps://ldapURL:636</value>
<!-- Switch this URL to use ldap and change port to 389 it works -->
</param>
- I see this as a threat to IT systems which need to adhere certain compliance.
- Along with this it would be great if the log could explicitly mention what is the issue, currently it doesn't provide any useful info which pin points to ldaps changing to ldap.