KNOX-3377: KNOX-3378: KNOX-3379: Support secure LDAP (LDAPS) for the Knox embedded LDAP service#1305
Merged
Merged
Conversation
…ed Knox LDAP service Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…oxyBackend Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…earch test Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Test Results36 tests 36 ✅ 5s ⏱️ Results for commit aa21a5f. ♻️ This comment has been updated with latest results. |
Contributor
Author
|
Cc. @handavid |
hanicz
approved these changes
Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
KNOX-3377 - Support secure LDAP (LDAPS) for the Knox embedded LDAP service
What changes were proposed in this pull request?
KnoxLDAPServicepreviously operated over plaintext LDAP only, on both of its connection paths. This PR adds configurable, credential-store-integrated LDAPS support to both, and updates the docker-based integration tests to exercise the feature end-to-end. The three commits are self-contained:Front-end (embedded server) LDAPS - the embedded ApacheDS server can now expose a TLS listener instead of accepting only plaintext.
gateway.ldap.ssl.enabledgateway.ldap.ssl.keystore.path(defaults to the gateway identity keystore)gateway.ldap.ssl.keystore.password.alias(defaults to the gateway identity keystore password)gateway.ldap.ssl.enabled.cipher.suites(optional)AliasService, consistent with the existing bind-password handling. Invalid SSL config (missing keystore) fails fast at startup with a clear message.Backend (proxy) LDAPS -
LdapProxyBackendcan now connect to the remote/backing LDAP server over LDAPS. Before, anldaps://URL was parsed but SSL was never enabled on the connection, so secure backend connections silently did not work. TLS is applied to both the pooled search connections and the authentication bind.Per-backend config (
gateway.ldap.interceptor.<name>.*):useSsl(auto-enabled by anldaps://URL),trustAllCertificates,trustStore/trustStoreType/trustStorePassword,sslProtocol,enabledProtocols,enabledCipherSuites,connectionTimeout.MINA 2.2.8that Knox ships (for CVEs):Apache Directory client API 2.0.0 → 2.1.8(2.0.0's SSL code calls MINA APIs removed in 2.2.x), andApacheDS server 2.0.0.AM26 → 2.0.0.AM27(AM26's LdapsInitializer referencesNoVerificationTrustManager, removed in directory-api 2.1.8; AM27 is built for 2.1.x + MINA 2.2.x). MINA stays at 2.2.8.All directory-api artifacts are pinned to one version;
commons-collections4is converged to 4.5.0; and the legacyjdk15onBouncyCastle that AM27 pulls is excluded in favor of Knox'sjdk18onartifacts (same packages), keepingdependency:analyzeand the shipped BouncyCastle consistent.Integration test over LDAPS - the docker-based LDAP proxy search test now runs entirely over TLS: the client connects to the embedded Knox LDAP service over LDAPS, and Knox proxies to the demo LDAP backend over LDAPS. The demo LDAP (SimpleLdapDirectoryServer) gained optional system-property-driven SSL; ldap.sh/gateway.sh provision dev keystores and the knoxldap Shiro realm was moved to ldaps:// (its cert imported into the JVM cacerts so the JNDI realm trusts it).
How was this patch tested?
LdapProxyBackendSslTeststarts an SSL-enabled embedded ApacheDS instance and drives the backend over TLS (user/group lookups and binds), and verifies an untrusted server certificate is rejected when validation is enabled.gateway-demo-ldapandgateway-util-common.mvn validate(dependency convergence) anddependency:analyze-onlypass after the version bumps and BouncyCastle exclusion.mvn -Ppackage clean installthen the docker-compose stack.Integration Tests
Updated
.github/workflows/tests/test_knox_ldap_proxy_search.pyto connect over LDAPS (use_ssl=True, Tls(validate=CERT_NONE) for the self-signed dev cert), and the supporting docker fixtures (gateway-site.xml,gateway.sh,ldap.sh,knoxldap.xml) so both the client → Knox and Knox → demo-LDAP legs are TLS.test_knox_auth_service_and_ldap.pyis unchanged but now implicitly exercises the secure backend (group resolution flows through it).Full stack result: 32/32 integration tests pass, including the
knoxldap/remoteauth/extauthzauth suites that authenticate through the now-LDAPS embedded service.UI Changes
N/A