Skip to content

KNOX-3318: document LDAP service#1227

Open
smolnar82 wants to merge 1 commit into
apache:masterfrom
smolnar82:KNOX-3318
Open

KNOX-3318: document LDAP service#1227
smolnar82 wants to merge 1 commit into
apache:masterfrom
smolnar82:KNOX-3318

Conversation

@smolnar82
Copy link
Copy Markdown
Contributor

@smolnar82 smolnar82 commented May 11, 2026

KNOX-3318 - Add Knox LDAP Server documentation to User Guide

What changes were proposed in this pull request?

This pull request adds comprehensive documentation for the Knox LDAP Server feature (introduced in KNOX-3247 and improved in KNOX-3277) to the official Knox User Guide.

Changes include:

  • Created knox-site/docs/service_ldap_server.md which provides:
    • An architectural overview of the embedded ApacheDS-based LDAP service.
    • Detailed configuration instructions for both file and proxy backends.
    • Specific guidance for Active Directory (AD) integration, including memberOf and sAMAccountName support.
    • Troubleshooting tips regarding logs and lock files.
  • Updated knox-site/mkdocs.yml to include the "LDAP Server" page in the Client/User Guide navigation.
  • Updated knox-site/docs/book_service-details.md to include the LDAP Server in the master list of supported services.

How was this patch tested?

  • Manually verified the Markdown rendering and formatting of the new documentation.
  • Validated all internal and external (JIRA) links.
  • Cross-referenced all configuration property names (e.g., gateway.ldap.backend.proxy.*) with the implementation in GatewayConfigImpl.java and LdapProxyBackend.java to ensure accuracy.

Integration Tests

N/A - This is a documentation-only change. No functional code was modified.

UI changes

N/A

@smolnar82 smolnar82 self-assigned this May 11, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

Test Results

21 tests   21 ✅  1s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit c99066a.

@smolnar82
Copy link
Copy Markdown
Contributor Author

smolnar82 commented May 11, 2026

Cc. @handavid

Raghav-Mah3shwari
Raghav-Mah3shwari approved these changes May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Raghav-Mah3shwari Raghav-Mah3shwari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

handavid
handavid reviewed May 18, 2026
View reviewed changes
Comment thread knox-site/docs/service_ldap_server.md
Key features include:
- **Pluggable Backends**: Support for different data sources (JSON files, remote LDAP/AD).
- **Embedded Server**: No need for an external LDAP server for simple use cases or testing.
- **Active Directory Integration**: Optimized for proxying to AD with support for `sAMAccountName` and `memberOf`.
Copy link
Copy Markdown
Contributor

@handavid handavid May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

memberOf handling isn't specific to AD.

Comment thread knox-site/docs/service_ldap_server.md
- **Pluggable Backends**: Support for different data sources (JSON files, remote LDAP/AD).
- **Embedded Server**: No need for an external LDAP server for simple use cases or testing.
- **Active Directory Integration**: Optimized for proxying to AD with support for `sAMAccountName` and `memberOf`.
- **Dynamic Schema**: Automatically handles common LDAP/AD attributes even if they aren't part of the base ApacheDS schema.
Copy link
Copy Markdown
Contributor

@handavid handavid May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't have any special handling yet for attributes that aren't part of the base schema other than sAMAccountName and memberOf

Comment thread knox-site/docs/service_ldap_server.md
1. **KnoxLDAPServerManager**: Manages the lifecycle of the ApacheDS instance.
2. **GroupLookupInterceptor**: A custom ApacheDS interceptor that captures search requests. If an entry is not found in the local ApacheDS partitions, it delegates the lookup to the configured backend.
3. **LdapBackend**: A pluggable interface for fetching user and group data.
4. **SchemaManagerFactory**: Programmatically extends the ApacheDS schema to include AD-specific attributes like `memberOf` and `sAMAccountName`.
Copy link
Copy Markdown
Contributor

@handavid handavid May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

memberOf isn't specific to AD.

Comment thread knox-site/docs/service_ldap_server.md
When a client performs an LDAP search:
1. The request hits the embedded ApacheDS server.
2. The `GroupLookupInterceptor` intercepts the search.
3. The interceptor attempts to find the user/group locally.
Copy link
Copy Markdown
Contributor

@handavid handavid May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: wording is a bit confusing. The interceptor checks the results of the local search. The interceptor itself is not attempting to find the user/group locally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lmccay lmccay Awaiting requested review from lmccay

@moresandeep moresandeep Awaiting requested review from moresandeep

@hanicz hanicz Awaiting requested review from hanicz

@pzampino pzampino Awaiting requested review from pzampino

2 more reviewers

@handavid handavid handavid left review comments

@Raghav-Mah3shwari Raghav-Mah3shwari Raghav-Mah3shwari approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@smolnar82 smolnar82

Labels

documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@smolnar82 @handavid @Raghav-Mah3shwari