Support Questions

jorge_florencio · ‎12-13-2018

Hi,

Active Directory users can successfully login to Zeppelin but roles are not mapped to the users.

Here is the shiro.ini configuration:

[main]
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.url = ldap://domain.com:389
adRealm.searchBase = DC=domain,DC=com
adRealm.groupRolesMap = "CN=admins,OU=HWX,DC=domain,DC=com":"admin","CN=users,OU=HWX,DC=domain,DC=com":"users"
adRealm.systemUsername = hwx@DOMAIN.COM
adRealm.systemPassword = XXXXXX
adRealm.principalSuffix = @DOMAIN.COM
adRealm.authorizationCachingEnabled = false
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $adRealm
shiro.loginUrl = /api/login


[roles]
admin = *
users = *


[urls]
/** = authc
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]

Is there something missing in the configuration?

The following message is displayed on the log:

WARN [2018-12-13 12:33:30,771] ({qtp64830413-19} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"user1","ticket":"64c38479-4241-417b-99c4-1840fd41e5a4","roles":"[]"}}

Many thanks in advance,

Jorge.

Scharan · ‎12-15-2018

Hi @Jorge Florencio you can use ldap in place on adrealm, just need to change the Active Directory details to suit your AD environment.

Refer to this article: https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

View solution in original post

Scharan · ‎12-14-2018

@Jorge Florencio Group search base is missing, try with below template

========

ldapRealm=org.apache.zeppelin.realm.LdapRealm

ldapRealm.contextFactory.systemUsername =cn=manager,dc=charan,dc=com

ldapRealm.contextFactory.systemPassword =xxxx

ldapRealm.contextFactory.authenticationMechanism=simple

ldapRealm.contextFactory.url=ldap://ldap_url:389

ldapRealm.authorizationEnabled=true

#ldapRealm.pagingSize = 20000

ldapRealm.searchBase=dc=sai,dc=com

ldapRealm.userSearchBase=ou=People,dc=charan,dc=com

ldapRealm.groupSearchBase=cn=admin,ou=Group,dc=charan,dc=com

ldapRealm.userObjectClass=*

ldapRealm.groupObjectClass=groupOfNames

ldapRealm.userSearchAttributeName = uid

ldapRealm.userSearchScope = subtree

ldapRealm.groupSearchScope = subtree

ldapRealm.userSearchFilter= (&(objectclass=*)(uid={0}))

ldapRealm.memberAttribute = member

ldapRealm.memberAttributeValueTemplate={0}

ldapRealm.rolesByGroup = "admin":admin_role

============

jorge_florencio · ‎12-14-2018

Hi @scharan ,

you are using ldapRealm. There's no way to solve the issue using ActiveDirectoryRealm?

Thanks!

Jorge.

Scharan · ‎12-15-2018

Hi @Jorge Florencio you can use ldap in place on adrealm, just need to change the Active Directory details to suit your AD environment.

Refer to this article: https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

jorge_florencio · ‎01-14-2019

It worked using LDAP realm.

Thank you!

Cloudera Community

Support Questions

Zeppelin user role mapping using Active Directory