Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Zeppelin 0.8.0 to Active Directory with ldaps on 636

Solved Go to solution

Zeppelin 0.8.0 to Active Directory with ldaps on 636

New Contributor

We have a binddn account with a space in the name cn=account,ou=System Accounts,dc=my,dc=domain,dc=com. Keep getting ldap 49 data 52e. All pertinent certificates are in the zeppelin truststore. Using activedirectorygrouprealm.

Any working example configs for ldaps on 636 for active directory would be most welcome.

***

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.apache.shiro.realm.ldap.DefaultLdapContextFactory.createLdapContext(DefaultLdapContextFactory.java:276) at org.apache.shiro.realm.ldap.DefaultLdapContextFactory.getLdapContext(DefaultLdapContextFactory.java:263) at org.apache.shiro.realm.ldap.DefaultLdapContextFactory.getLdapContext(DefaultLdapContextFactory.java:224) at org.apache.shiro.realm.ldap.DefaultLdapContextFactory.getSystemLdapContext(DefaultLdapContextFactory.java:205) at org.apache.zeppelin.realm.ActiveDirectoryGroupRealm.queryForAuthorizationInfo(ActiveDirectoryGroupRealm.java:240) at org.apache.zeppelin.realm.ActiveDirectoryGroupRealm.doGetAuthorizationInfo(ActiveDirectoryGroupRealm.java:139) ... 69 more WARN [2018-08-28 19:36:32,267] ({qtp2136344592-17 - /api/login} HttpChannel.java[handleException]:482) - Could not send response error 500: javax.servlet.ServletException: org.apache.shiro.authz.AuthorizationException: LDAP naming error while attempting to retrieve authorization for user [ldapsmothra].

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Zeppelin 0.8.0 to Active Directory with ldaps on 636

New Contributor

I finally figured this out....

you MUST use the shortname for activeDirectoryRealm.systemUsername without domain and not a distinguished name. In my case.... ldapsmothra

2 REPLIES 2

Re: Zeppelin 0.8.0 to Active Directory with ldaps on 636

New Contributor

activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm

#activeDirectoryRealm.systemUsername = CN=ldapsmothra,OU=System Accounts,OU=bogus,DC=my,DC=domain,DC=com activeDirectoryRealm.systemUsername = ldapsmothra@my.domain.com

activeDirectoryRealm.systemPassword = notthepassword

activeDirectoryRealm.searchBase = ou=bogus,DC=my,dc=domain,dc=com

activeDirectoryRealm.url = ldaps://dc1.my.domain.com:636

activeDirectoryRealm.groupRolesMap = "ou=users,OU=Security Groups,ou=bogus,DC=my,dc=domain,dc=com":"admin" activeDirectoryRealm.authorizationCachingEnabled = false

activeDirectoryRealm.principalSuffix = @my.domain.com

securityManager.realms = $activeDirectoryRealm

Re: Zeppelin 0.8.0 to Active Directory with ldaps on 636

New Contributor

I finally figured this out....

you MUST use the shortname for activeDirectoryRealm.systemUsername without domain and not a distinguished name. In my case.... ldapsmothra