Hi @V_A n,

I think there is a problem with your configuration for HDP. It looks like it is failing on the code to get user roles from shiro.ini.

 /***
   * Get user roles from shiro.ini for Zeppelin LdapRealm
   * @param r
   * @return
   */
  public  List<String> getRolesList(LdapRealm r) {
    List<String> roleList = new ArrayList<>();
    Map<String, String> roles = r.getListRoles();
    if (roles != null) {
      Iterator it = roles.entrySet().iterator();
      while (it.hasNext()) {
        Map.Entry pair = (Map.Entry) it.next();
        if (LOG.isDebugEnabled()) {
          LOG.debug("RoleKeyValue: " + pair.getKey() + 
                " = " + pair.getValue());
        }
        roleList.add((String) pair.getKey());
      }
    }
    return roleList;
  }

Please check the following has been done correctly for HDP.

https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

Hi @dvillarreal

Modified configuration to add group roles:

activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm

activeDirectoryRealm.systemUsername = <ldap_binding_user> (just username without @domain.com)

activeDirectoryRealm.systemPassword = <ldap_binding_password>

activeDirectoryRealm.searchBase = OU=GROUP,DC=DOMAIN,DC=COM

activeDirectoryRealm.url = ldap://ldap.domain.com:389

activeDirectoryRealm.groupRolesMap = "CN=group,DC=domain,DC=com":"admin

activeDirectoryRealm.authorizationCachingEnabled = true

activeDirectoryRealm.principalSuffix = @domain.com

securityManager.realms = $activeDirectoryRealm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager = $sessionManager

securityManager.sessionManager.globalSessionTimeout = 86400000

shiro.loginUrl = /api/login

Now am getting authenication failed exception. but with same user name and password was able to login from apache zeppelin.

After configuration changes getting fallowing exception:

LDAP naming error while attempting to retrieve authorization for user

then specified username@domain.com again getting login failed expcetion

@V_A nOn the unsecure ldap 389 port tcpdump the traffic when login fails and post it here for me to look at the error.

@V_A n

Value for realm "activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm" is changed in HDP2.6.x version, it is changed to "org.apache.zeppelin.realm.ActiveDirectoryGroupRealm" . Even with the above config zeppelin start should fail. not sure if the config provided is correct.

If you are using HDP2.6.x version, I would recommend to use LdapReam instead of ActiveDirectoryGroupRealm.

LdapRealm has more configurable options to customize the way you want to authentication with AD/Ldap.

[main]
ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername=<bindUser>@lab.test.net
ldapRealm.contextFactory.systemPassword=<Password>
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url = ldap://<AD-server>
ldapRealm.authorizationEnabled=true
ldapRealm.searchBase=DC=lab,DC=test,DC=net
ldapRealm.userSearchBase=DC=lab,DC=test,DC=net
ldapRealm.groupSearchBase=DC=lab,DC=test,DC=net
ldapRealm.userObjectClass=person
ldapRealm.groupObjectClass=group
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.userSearchScope = subtree
ldapRealm.groupSearchScope = subtree
ldapRealm.userSearchFilter= (&(objectclass=user)(sAMAccountName={0}))
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
securityManager.realms = $ldapRealm
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login