question Re: Apache Zeppelin - AD integration Version 0.8.2 in Support Questions

Apache Zeppelin - AD integration Version 0.8.2

venkii — Mon, 24 Aug 2020 22:16:03 GMT

please suggest if anyone has successfully integrated with AD.

I'm trying to use below configs and it's not working

ldapRealm= org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = ldap://ad.abc.com:389
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = svc_abc
ldapRealm.contextFactory.systemPassword = passwdddd
#ldapRealm.searchBase = DC=abc,DC=abc,DC=COM
ldapRealm.userSearchBase = OU=IDM,DC=abc,DC=abc,DC=com
ldapRealm.userSearchScope = subtree
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.userSearchFilter = (&(objectclass=person)(sAMAccountName={0}))

ldapRealm.authorizationEnabled = true
ldapRealm.groupSearchBase = OU=abcGroups,DC=abc,DC=abc,DC=com
ldapRealm.groupObjectClass = group
ldapRealm.memberAttribute= member
ldapRealm.groupSearchScope = subtree
ldapRealm.groupSearchFilter = (&(objectclass=group)(member={0}))
ldapRealm.memberAttributeValueTemplate= $CN=g_app_zep,OU=abcGroups,DC=abc,DC=abc,DC=com
ldapRealm.groupSearchEnableMatchingRuleInChain = true
ldapRealm.rolesByGroup = Zeppelin_Admin: admin_role
ldapRealm.allowedRolesForAuthentication = admin_role,user_role

ERROR:

WARN [2020-08-24 16:31:14,497] ({main} WebAppContext.java[doStart]:554) - Failed startup of context o.e.j.w.WebAppContext@22635ba0{zeppelin-web,/,file:///opt/zepplin/zeppelin-0.8.2-bin-all/webapps/webapp/,UNAVAILABLE}{/opt/zepplin/zeppelin-0.8.2-bin-all/zeppelin-web-0.8.2.war}
org.apache.shiro.config.UnresolveableReferenceException: The object with id [CN=g_app_zep,OU=abcGroups,DC=abc,DC=abc,DC=com] has not yet been defined and therefore cannot be referenced. Please ensure objects are defined in the order in which they should be created and made available for future reference.

please share if there is any working configs

Re: Apache Zeppelin - AD integration Version 0.8.2

BGabor — Tue, 25 Aug 2020 09:00:53 GMT

Why this $ before CN?

https://zeppelin.apache.org/docs/0.9.0-SNAPSHOT/setup/security/shiro_authentication.html

Re: Apache Zeppelin - AD integration Version 0.8.2

venkii — Tue, 25 Aug 2020 16:30:42 GMT

@BGabor thanks for your response

I'm trying to understand the difference between two blocks given in the document

#BLOCK1
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = userNameA
activeDirectoryRealm.systemPassword = passwordA
activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
activeDirectoryRealm.url = ldap://ldap.test.com:389
activeDirectoryRealm.groupRolesMap = "CN=aGroupName,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"group1"
activeDirectoryRealm.authorizationCachingEnabled = false
activeDirectoryRealm.principalSuffix = @corp.company.net


##BLOCK2

ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
# search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
ldapRealm.contextFactory.url = ldap://ldap.test.com:389
ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
ldapRealm.contextFactory.authenticationMechanism = simple

also define roles/groups that you want to have in the system, like below;

[roles]
admin = *
hr = *
finance = *
group1 = *

could you help me understand?

i want to extract only one group and users from AD, which block should I use. thanks