Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Zeppelin LDAP: How to use userSearch attributes instead of userDnTemplate for LdapRealm in HDP 2.6.3?

Highlighted

Zeppelin LDAP: How to use userSearch attributes instead of userDnTemplate for LdapRealm in HDP 2.6.3?

New Contributor

Hi All,

The current configuration for Zeppelin LDAP is working with HDP stack version 2.6.3 and Zeppelin version 0.7.3

[users]
admin = ****, admin
[main] 
ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.userDnTemplate = CN={0},OU=standard,OU=Users,ou=**,dc=**,dc=**
ldapRealm.contextFactory.url = ldaps://*****.****.****.****.***:***
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
ldapRealm.contextFactory.systemUsername = *****
ldapRealm.contextFactory.systemPassword = ****
ldapRealm.rolesByGroup = "***":***
#anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
admin = *

[urls]
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc

Now, due to some reason, we are going to capture "uid" for user login instead of "CN" and hence we cannot use "userDnTemplate" as it configured with "CN" in our LDAP severs.

As per link, we can define userSearch attributes which is supposed to ignore "userDnTemplate". However, it is not working and we are encountering error as:

DEBUG [2019-05-17 11:28:55,438] ({qtp64830413-18 - /api/login} JndiLdapRealm.java[queryForAuthenticationInfo]:369) - Authenticating user '****' through LDAP
DEBUG [2019-05-17 11:28:55,438] ({qtp64830413-18 - /api/login} JndiLdapContextFactory.java[getLdapContext]:488) - Initializing LDAP context using URL [ldaps://*****.****.****.****.***:***] and principal [****] with pooling enabled
DEBUG [2019-05-17 11:28:55,575] ({qtp64830413-18 - /api/login} ModularRealmAuthenticator.java[doMultiRealmAuthentication]:224) - Realm [org.apache.zeppelin.realm.LdapRealm@81eaf95] threw an
 exception during a multi-realm authentication attempt:
java.lang.IllegalArgumentException: Illegal principal name: ******
        at org.apache.zeppelin.realm.LdapRealm.getUserDn(LdapRealm.java:921)
        at org.apache.shiro.realm.ldap.JndiLdapRealm.getLdapPrincipal(JndiLdapRealm.java:342)
        at org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:371)
        at org.apache.zeppelin.realm.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:228)
        at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295)
        at org.apache.zeppelin.realm.LdapRealm.doGetAuthenticationInfo(LdapRealm.java:207)
        at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219)
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
        at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
        at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
        at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
        at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:80)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:205)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:102)

The new configuration we are trying:

[users]
admin = ***, admin
[main] 
ldapRealm = org.apache.zeppelin.realm.LdapRealm
ldapRealm.userDnTemplate = CN={0},OU=standard,OU=Users,ou=**,dc=**,dc=** 
ldapRealm.contextFactory.url = ldaps://*****.****.****.****.***:***
ldapRealm.contextFactory.authenticationMechanism = SIMPLE
ldapRealm.contextFactory.systemUsername = ****
ldapRealm.contextFactory.systemPassword = ****
ldapRealm.searchBase = ou=****,dc=***,dc=****
ldapRealm.userSearchBase = OU=Users,ou=***,dc=***,dc=***
ldapRealm.groupSearchBase = OU=Managed,OU=Groups,ou=***,dc=***,dc=***
ldapRealm.groupObjectClass = group
# Allow userSearchAttribute to be customized
ldapRealm.userSearchAttributeName = uid
ldapRealm.memberAttribute = member
# ability set searchScopes subtree (default), one, base
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;

ldapRealm.rolesByGroup = "***":***
#anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
admin = *

[urls]
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc

Kindly advise if we are missing something in the configuration.

1 REPLY 1

Re: Zeppelin LDAP: How to use userSearch attributes instead of userDnTemplate for LdapRealm in HDP 2.6.3?

New Contributor

Hi All,

Thanks, we have resolved the issue. This link has been useful to understand LdapRealm attributes.

Updated configuration:

[users]
admin = admin, admin
[main] 
ldapRealm = org.apache.zeppelin.realm.LdapRealm
#ldapRealm.userDnTemplate = CN={0},OU=***,OU=***,ou=***,dc=***,dc=***
ldapRealm.userSearchBase=OU=***,ou=***,dc=***,dc=***
ldapRealm.userSearchFilter=(&(objectclass=person)(uid={0})(|(memberOf=CN=***,OU=***,OU=Groups,ou=***,dc=***,dc=***)(memberOf=CN=***,OU=***,OU=Groups,ou=***,dc=***,dc=***)(memberOf=CN=***,OU=***,OU=Groups,ou=***,dc=***,dc=***)))
ldapRealm.contextFactory.url = ldaps://***:636
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.contextFactory.systemUsername = ***
ldapRealm.contextFactory.systemPassword = ***
#anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
admin = *

[urls]
/api/interpreter/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc