Skip to content

KNOX-3377: KNOX-3378: KNOX-3379: Support secure LDAP (LDAPS) for the Knox embedded LDAP service#1305

Merged
smolnar82 merged 5 commits into
apache:masterfrom
smolnar82:KNOX-3377
Jul 15, 2026
Merged

KNOX-3377: KNOX-3378: KNOX-3379: Support secure LDAP (LDAPS) for the Knox embedded LDAP service#1305
smolnar82 merged 5 commits into
apache:masterfrom
smolnar82:KNOX-3377

Conversation

@smolnar82

Copy link
Copy Markdown
Contributor

KNOX-3377 - Support secure LDAP (LDAPS) for the Knox embedded LDAP service

What changes were proposed in this pull request?

KnoxLDAPService previously operated over plaintext LDAP only, on both of its connection paths. This PR adds configurable, credential-store-integrated LDAPS support to both, and updates the docker-based integration tests to exercise the feature end-to-end. The three commits are self-contained:

  1. Front-end (embedded server) LDAPS - the embedded ApacheDS server can now expose a TLS listener instead of accepting only plaintext.

    • New config in the existing gateway.ldap.* namespace (defaults off, behavior unchanged):
      • gateway.ldap.ssl.enabled
      • gateway.ldap.ssl.keystore.path (defaults to the gateway identity keystore)
      • gateway.ldap.ssl.keystore.password.alias (defaults to the gateway identity keystore password)
      • gateway.ldap.ssl.enabled.cipher.suites (optional)
    • The keystore password is resolved through AliasService, consistent with the existing bind-password handling. Invalid SSL config (missing keystore) fails fast at startup with a clear message.
  2. Backend (proxy) LDAPS - LdapProxyBackend can now connect to the remote/backing LDAP server over LDAPS. Before, an ldaps:// URL was parsed but SSL was never enabled on the connection, so secure backend connections silently did not work. TLS is applied to both the pooled search connections and the authentication bind.
    Per-backend config (gateway.ldap.interceptor.<name>.*): useSsl (auto-enabled by an ldaps:// URL), trustAllCertificates, trustStore/trustStoreType/trustStorePassword, sslProtocol, enabledProtocols, enabledCipherSuites, connectionTimeout.

    • Required dependency alignment for client-side LDAPS to work under the MINA 2.2.8 that Knox ships (for CVEs): Apache Directory client API 2.0.0 → 2.1.8 (2.0.0's SSL code calls MINA APIs removed in 2.2.x), and ApacheDS server 2.0.0.AM26 → 2.0.0.AM27 (AM26's LdapsInitializer references NoVerificationTrustManager, removed in directory-api 2.1.8; AM27 is built for 2.1.x + MINA 2.2.x). MINA stays at 2.2.8.
      All directory-api artifacts are pinned to one version; commons-collections4 is converged to 4.5.0; and the legacy jdk15on BouncyCastle that AM27 pulls is excluded in favor of Knox's jdk18on artifacts (same packages), keeping dependency:analyze and the shipped BouncyCastle consistent.
  3. Integration test over LDAPS - the docker-based LDAP proxy search test now runs entirely over TLS: the client connects to the embedded Knox LDAP service over LDAPS, and Knox proxies to the demo LDAP backend over LDAPS. The demo LDAP (SimpleLdapDirectoryServer) gained optional system-property-driven SSL; ldap.sh/gateway.sh provision dev keystores and the knoxldap Shiro realm was moved to ldaps:// (its cert imported into the JVM cacerts so the JNDI realm trusts it).

How was this patch tested?

  • Unit tests (gateway-server):
    • Front-end: TLS handshake presenting the configured certificate (JSSE SSLSocket), plaintext-access-to-secure-port rejection, and missing-keystore fail-fast.
    • Backend: a new LdapProxyBackendSslTest starts an SSL-enabled embedded ApacheDS instance and drives the backend over TLS (user/group lookups and binds), and verifies an untrusted server certificate is rejected when validation is enabled.
    • Full LDAP package (129 tests) passes against the upgraded ApacheDS AM27 / directory-api 2.1.8, plus gateway-demo-ldap and gateway-util-common.
  • Build: reactor-wide mvn validate (dependency convergence) and dependency:analyze-only pass after the version bumps and BouncyCastle exclusion.
  • Manual: mvn -Ppackage clean install then the docker-compose stack.

Integration Tests

Updated .github/workflows/tests/test_knox_ldap_proxy_search.py to connect over LDAPS (use_ssl=True, Tls(validate=CERT_NONE) for the self-signed dev cert), and the supporting docker fixtures (gateway-site.xml, gateway.sh, ldap.sh, knoxldap.xml) so both the client → Knox and Knox → demo-LDAP legs are TLS.

test_knox_auth_service_and_ldap.py is unchanged but now implicitly exercises the secure backend (group resolution flows through it).

Full stack result: 32/32 integration tests pass, including the knoxldap/remoteauth/extauthz auth suites that authenticate through the now-LDAPS embedded service.

UI Changes

N/A

smolnar82 and others added 3 commits July 14, 2026 11:10
…ed Knox LDAP service

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…oxyBackend

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…earch test

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@smolnar82 smolnar82 self-assigned this Jul 14, 2026
@smolnar82 smolnar82 added the ldap label Jul 14, 2026
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown

Test Results

36 tests   36 ✅  5s ⏱️
 3 suites   0 💤
 3 files     0 ❌

Results for commit aa21a5f.

♻️ This comment has been updated with latest results.

@smolnar82

Copy link
Copy Markdown
Contributor Author

Cc. @handavid

@handavid handavid left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@smolnar82 smolnar82 merged commit ad6c159 into apache:master Jul 15, 2026
3 checks passed
@smolnar82 smolnar82 deleted the KNOX-3377 branch July 15, 2026 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants