Support Questions

@Ekantheshwara Basappa can you share how you configured it with AD? i'm trying to achieve the same with AD.

@Ekantheshwara Basappa

Groups and roles mapping using ldapRealm in shiro is not supported as per Zeppelin 0.6.0 version. What is your HDP version? Below is the Apache Jira:

https://issues.apache.org/jira/browse/ZEPPELIN-1472

The ldap realm will be changed to 'ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm' and you can use 'ldapRealm.rolesByGroup = hdpeng: admin' for group role mapping.

Hello @Ekantheshwara Basappa
did you find a solution for this issue ? I have the same problem.
I'm in HDP 2.6.2 and zeppelin 0.7.2

@farhanekarim The feature was added in zeppelin 0.7.0, so you should be able to get it working. There's some documentation on using LdapRealm, but there aren't many examples floating about, best to look at the conf example in the code. Basically you want something like:

ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.url = ldap://localhost:33389
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
ldapRealm.contextFactory.systemPassword = S{ALIAS=ldcSystemPassword}
ldapRealm.authorizationEnabled = true
ldapRealm.userSearchBase = dc=hadoop,dc=apache,dc=org
ldapRealm.groupSearchBase = ou=groups,dc=hadoop,dc=apache,dc=org
ldapRealm.userObjectClass = person
ldapRealm.groupObjectClass = groupofnames
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.memberAttribute = member
ldapRealm.rolesByGroup = LDN_USERS: user_role, NYK_USERS: user_role, GLOBAL_ADMIN: admin_role

[roles]
user_role = *
admin_role= *

The code for Zeppelin is similar to the Apache Knox codebase, so if you get stuck have a look for Knox LDAP configuration (e.g. here).

Thanks Scott for your add.
I have already tried this. But the problem is that apache shiro does not retreive group memebership from ldap.
And i think it's a bug in the 0.7.0 of zeppelin: https://issues.apache.org/jira/browse/ZEPPELIN-2796
Unfortunately, this is corrected in the 0.8 version of zeppelin and i don't know when it will be packaged on HDP ?
do you have informations about this ?
thank you

Have you resolved this? We configured Zeppelin ver. 0.7.0 using LdapRealm and roles are populated. The key properties are

ldapRealm.groupObjectClass=group
ldapRealm.memberAttribute=member
ldapRealm.groupIdAttribute=cn

These are defaults, and I don't have IPA server handy, so please do ldapsearch for one of your groups to confirm. You will see multiple group's classes in the output, select one used for users' groups. "memberAttribute" appears on the left side in the list of group members. And "GroupIdAttribute" is what LdapRealm will return as the group name instead of the "long" ldap name, without any OUs, DCs etc. Use those group names in your "rolesByGroup" and keep the capitals if any. Also restrict as much as possible your "groupSearchBase" and you can also try to increase ldapRealm.pageSize from default 100 to 200 or 300. If you still get no roles post your LdapRealm settings, and a few lines from your ldapsearch.