Skip to content

KNOX-3336: New LDAP Service Factory#1250

Open
hanicz wants to merge 1 commit into
apache:masterfrom
hanicz:KNOX-3336
Open

KNOX-3336: New LDAP Service Factory#1250
hanicz wants to merge 1 commit into
apache:masterfrom
hanicz:KNOX-3336

Conversation

@hanicz

@hanicz hanicz commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

KNOX-3336 - New LDAP Service Factory

What changes were proposed in this pull request?

  • Moved the LDAP Service creation into its own factory class to follow the existing pattern
  • Bugfix: If ldap.enabled was set to false initially reloadable configs wouldn't mater because the LDAP service was unable to start. The isLDAPEnabled guard is no longer needed in DefaultGatewayServices because KnoxLDAPService.init() already handles it — when disabled, it simply sets enabled = false and returns, making start()/stop() no-ops. The service object is lightweight when inert, and keeping it alive lets onGatewayConfigChanged() dynamically enable LDAP without a gateway restart.

How was this patch tested?

Unit tests, local test with reloadable.

Manual test:
Started a local Knox and LDAP instance. Changed the knoxsso ldap port to 3890 and tried to login into the homepage which failed. Updated the gateway-reloadable.xml with the below ldap configs and I was able to log into the homepage.

2026-06-08 18:00:34,783  INFO  knox.gateway (GatewayServer.java:refreshGatewayConfig(275)) - Refreshed gateway config
2026-06-08 18:00:34,786  INFO  services.ldap (KnoxLDAPService.java:onGatewayConfigChanged(87)) - Reloading LDAP configuration
2026-06-08 18:00:34,798  INFO  services.ldap (KnoxLDAPServerManager.java:stop(240)) - Stopping LDAP service on port 0
2026-06-08 18:00:34,798  INFO  services.ldap (KnoxLDAPServerManager.java:stop(260)) - LDAP service stopped successfully
2026-06-08 18:00:34,800  INFO  services.ldap (InterceptorFactory.java:createInterceptor(49)) - Creating interceptor: backend (via ServiceLoader)
2026-06-08 18:00:34,801  INFO  services.ldap (BackendFactory.java:createBackend(46)) - Loading backend: ldap (via ServiceLoader)
2026-06-08 18:00:34,804  INFO  services.ldap (LdapProxyBackend.java:<init>(146)) - Loading backend: localldap (via Proxying dc=proxy,dc=com to ldap://localhost:33389 (dc=hadoop,dc=apache,dc=org) with uid attribute using group searches)
2026-06-08 18:00:34,819  INFO  services.ldap (LdapProxyBackend.java:initializeConnectionPool(201)) - Loading backend: ldap (via Initialized connection pool with maxActive=8)
2026-06-08 18:00:34,819  INFO  services.ldap (KnoxLDAPServerManager.java:start(133)) - Starting LDAP service on port 3,890 with base DN: dc=proxy,dc=com
2026-06-08 18:00:35,110  INFO  services.ldap (KnoxLDAPServerManager.java:start(186)) - LDAP service started successfully on port 3,890

knoxsso.xml:

<param>
    <name>main.ldapRealm.contextFactory.url</name>
    <value>ldap://localhost:3890</value>
</param>

gateway-reloadable.xml

    <!-- LDAP Proxy Service Configuration -->
    <property>
        <name>gateway.ldap.enabled</name>
        <value>true</value>
        <description>Enable the embedded LDAP service for user and group lookups. Set to true to enable.</description>
    </property>
    <property>
        <name>gateway.ldap.port</name>
        <value>3890</value>
        <description>Port for the LDAP service to listen on. Default is 3890.</description>
    </property>
    <property>
        <name>gateway.ldap.base.dn</name>
        <value>dc=proxy,dc=com</value>
        <description>Base DN for LDAP entries in the proxy server. Default is dc=proxy,dc=com.</description>
    </property>
    <property>
        <name>gateway.ldap.interceptor.names</name>
        <value>localldap</value>
        <description>Interceptor names for LDAP service.</description>
    </property>

    <!-- Local LDAP Server -->
    <property>
        <name>gateway.ldap.interceptor.localldap.interceptorType</name>
        <value>backend</value>
        <description>Type of interceptor. Currently supported: backend, duplicateuserfilter</description>
    </property>
    <property>
        <name>gateway.ldap.interceptor.localldap.backendType</name>
        <value>ldap</value>
        <description>Type of backend. Currently supported: file, ldap. Future: jdbc, knox.</description>
    </property>
    <property>
        <name>gateway.ldap.interceptor.localldap.url</name>
        <value>ldap://localhost:33389</value>
        <description>LDAP server URL for proxy backend</description>
    </property>
    <property>
        <name>gateway.ldap.interceptor.localldap.remoteBaseDn</name>
        <value>dc=hadoop,dc=apache,dc=org</value>
        <description>Base DN of the remote LDAP server</description>
    </property>
    <property>
        <name>gateway.ldap.interceptor.localldap.systemUsername</name>
        <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
        <description>LDAP bind DN for proxy backend authentication</description>
    </property>
    <property>
        <name>gateway.ldap.interceptor.localldap.systemPassword</name>
        <value>guest-password</value>
        <description>LDAP bind password for proxy backend authentication</description>
    </property>

Integration Tests

N/A

UI changes

N/A

@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

Test Results

22 tests   22 ✅  2s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 1f2033a.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moresandeep moresandeep Awaiting requested review from moresandeep

@pzampino pzampino Awaiting requested review from pzampino

@bonampak bonampak Awaiting requested review from bonampak

@smolnar82 smolnar82 Awaiting requested review from smolnar82

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hanicz