LDAP Authentication Caching
You can also configure the Apache Knox Gateway to cache LDAP authentication information by leveraging built-in caching mechanisms that the Shiro EhCache Manager provides. The ability to cache LDAP authentication information is useful in eliminating the need to authenticate against the LDAP server each time you use.
| ![[Note]](../common/images/admon/note.png) | Note | 
|---|---|
| When the authentication information is cached, the Knox gateway will not authenticate the user again until the cache expires. | 
To enable LDAP authentication caching using the Shiro Provider, follow the steps listed below.
- Use the - org.apache.hadoop.gateway.ShiroRealm.knoxLdapRealmin the Shiro configuration.
- Set the - main.ldaprealm.authenticationcachingEnabledproperty similar to the example shown below.- <provider> <role>authentication</role> <enabled>true</enabled> <param> <name>main.ldapRealm</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> </param> <param> <name>main.ldapGroupContextFactory</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> </param> <param> <name>main.ldapRealm.ContextFactory</name> <value>$ldapGroupContextFactory</value> </param> <param> <name>main.ldapRealm.ContextFactory.url</name> <value>$ldap://localhost:33389</value> </param> <param> <name>main.ldapRealm.authorizationEnabled</name> <value>true</value> </param> <param> <name>main.ldapRealm.searchBase</name> <value>ou-groups,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>main.cacheManager</name> <value>org.apache.shiro.cache.ehcache.EhCacheManager</value> </param> <param> <name>main.securityManager.cacheManager</name> <value>$cacheManager</value> </param> <param> <name>main.ldapRealm.authenticationCachingEnabled</name> <value>true</value> </param> <param> <name>main.ldapRealm.memberAttributeValueTemplate</name> <value>uid={0}ou=people,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>main.ldapRealm.contextFactory.systemUsername</name> <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>main.ldapRealm.contextFactory.systemPassword</name> <value>guest=password</value> </param> <param> <name>urls./**</name> <value>authBasic</value> </param> </provider>- In this example, you need to configure these properties to set the Knox Gateway for LDAP authentication caching. The Knox Gateway also includes several template topology files that you can use to test the caching function. You can locate these template files in the templates directory. To test the caching function, perform the steps listed below. - Navigate to the Knox gateway HOME directory. - cd {GATEWAY_HOME}
- Copy the templates files to your sandbox. - cp templates/sandbox.knoxrealm.ehcache.xml conf.topologies/sandbox.xml 
- Start the LDAP authentication provider. - bin/ldap.sh start 
- Start the Knox gateway. - bin/gateway.sh start 
- Once the gateway is started, make the following WebHDFS API call: - curl -ivk -u tom:tom-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY 
- To see LDAP authentication caching working, shut down the LDAP authentication provider. - bin/ldap.sh stop 
- Run the WebHDFS API call again. - curl -ivk -u tom:tom=password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY 
 

