Support Questions
Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

How to configure groups and roles mapping using ldapRealm in Shiro config for Zeppelin ?


I have been trying to configure groups and roles mapping in Shiro Config of Zeppelin. I am using FreeIPA as the LDAP Server and therefore I need to use ldapRealm in Shiro. I need to assign different 'roles' to different LDAP groups and then define what access these different roles have in Zeppelin. I could not get any documentation online for achieving this using ldapRealm. I have achieved the same using ActiveDirectoryRealm in a different env where AD was used. However, I have not been able to successfully do the config using ldapRealm. Any guidance appreciated.


@Ekanthesara Basappa did you figure out on how to achieve this?

Expert Contributor

@Ekantheshwara Basappa can you share how you configured it with AD? i'm trying to achieve the same with AD.


@Ekantheshwara Basappa

Groups and roles mapping using ldapRealm in shiro is not supported as per Zeppelin 0.6.0 version. What is your HDP version? Below is the Apache Jira:

The ldap realm will be changed to 'ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm' and you can use 'ldapRealm.rolesByGroup = hdpeng: admin' for group role mapping.

New Contributor

Hello @Ekantheshwara Basappa
did you find a solution for this issue ? I have the same problem.
I'm in HDP 2.6.2 and zeppelin 0.7.2

New Contributor

@farhanekarim The feature was added in zeppelin 0.7.0, so you should be able to get it working. There's some documentation on using LdapRealm, but there aren't many examples floating about, best to look at the conf example in the code. Basically you want something like:

ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = ldap://localhost:33389
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.systemPassword = S{ALIAS=ldcSystemPassword}
ldapRealm.authorizationEnabled = true
ldapRealm.userSearchBase = dc=hadoop,dc=apache,dc=org
ldapRealm.groupSearchBase = ou=groups,dc=hadoop,dc=apache,dc=org
ldapRealm.userObjectClass = person
ldapRealm.groupObjectClass = groupofnames
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.memberAttribute = member
ldapRealm.rolesByGroup = LDN_USERS: user_role, NYK_USERS: user_role, GLOBAL_ADMIN: admin_role
user_role = *
admin_role= *

The code for Zeppelin is similar to the Apache Knox codebase, so if you get stuck have a look for Knox LDAP configuration (e.g. here).

New Contributor

Thanks Scott for your add.
I have already tried this. But the problem is that apache shiro does not retreive group memebership from ldap.
And i think it's a bug in the 0.7.0 of zeppelin:
Unfortunately, this is corrected in the 0.8 version of zeppelin and i don't know when it will be packaged on HDP ?
do you have informations about this ?
thank you


@karim farhane,

ZEPPELIN-2796 is included in HDP version 2.6.3 onwards. FYI.

Have you resolved this? We configured Zeppelin ver. 0.7.0 using LdapRealm and roles are populated. The key properties are


These are defaults, and I don't have IPA server handy, so please do ldapsearch for one of your groups to confirm. You will see multiple group's classes in the output, select one used for users' groups. "memberAttribute" appears on the left side in the list of group members. And "GroupIdAttribute" is what LdapRealm will return as the group name instead of the "long" ldap name, without any OUs, DCs etc. Use those group names in your "rolesByGroup" and keep the capitals if any. Also restrict as much as possible your "groupSearchBase" and you can also try to increase ldapRealm.pageSize from default 100 to 200 or 300. If you still get no roles post your LdapRealm settings, and a few lines from your ldapsearch.

New Contributor

Hi Predrag,
We face with the same issues and somehow we can't get it working.
Do you have any idea where we go wrong?

ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername = aduser@domain.local
ldapRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelinldap.jceks
ldapRealm.searchBase = "OU=User Accounts,DC=domain,DC=local"
ldapRealm.userSearchBase = "OU=User Accounts,DC=domain,DC=local"
ldapRealm.groupSearchBase = "OU=User Accounts,DC=domain,DC=local"
ldapRealm.groupObjectClass = group
ldapRealm.memberAttribute = member
ldapRealm.groupIdAttribute = cn
ldapRealm.groupSearchEnableMatchingRuleInChain = true
ldapRealm.rolesByGroup = users: admin
ldapRealm.userSearchFilter = (&(objectclass=user)(sAMAccountName={0})(memberOf=CN=users,OU=User Accounts,DC=domain,DC=local))
ldapRealm.contextFactory.url = ldap://AD.domain.local:389

New Contributor



has anyone get this running and can post an running example ?