Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Zeppelin user role mapping using Active Directory

avatar
Contributor

Hi,

Active Directory users can successfully login to Zeppelin but roles are not mapped to the users.

Here is the shiro.ini configuration:

[main]
adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
adRealm.url = ldap://domain.com:389
adRealm.searchBase = DC=domain,DC=com
adRealm.groupRolesMap = "CN=admins,OU=HWX,DC=domain,DC=com":"admin","CN=users,OU=HWX,DC=domain,DC=com":"users"
adRealm.systemUsername = hwx@DOMAIN.COM
adRealm.systemPassword = XXXXXX
adRealm.principalSuffix = @DOMAIN.COM
adRealm.authorizationCachingEnabled = false
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $adRealm
shiro.loginUrl = /api/login


[roles]
admin = *
users = *


[urls]
/** = authc
/api/version = anon
/api/interpreter/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]

Is there something missing in the configuration?

The following message is displayed on the log:

WARN [2018-12-13 12:33:30,771] ({qtp64830413-19} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"user1","ticket":"64c38479-4241-417b-99c4-1840fd41e5a4","roles":"[]"}}

Many thanks in advance,

Jorge.

1 ACCEPTED SOLUTION

avatar
Master Collaborator

Hi @Jorge Florencio you can use ldap in place on adrealm, just need to change the Active Directory details to suit your AD environment.

Refer to this article: https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

View solution in original post

4 REPLIES 4

avatar
Master Collaborator

@Jorge Florencio Group search base is missing, try with below template

========

ldapRealm=org.apache.zeppelin.realm.LdapRealm

ldapRealm.contextFactory.systemUsername =cn=manager,dc=charan,dc=com

ldapRealm.contextFactory.systemPassword =xxxx

ldapRealm.contextFactory.authenticationMechanism=simple

ldapRealm.contextFactory.url=ldap://ldap_url:389

ldapRealm.authorizationEnabled=true

#ldapRealm.pagingSize = 20000

ldapRealm.searchBase=dc=sai,dc=com

ldapRealm.userSearchBase=ou=People,dc=charan,dc=com

ldapRealm.groupSearchBase=cn=admin,ou=Group,dc=charan,dc=com

ldapRealm.userObjectClass=*

ldapRealm.groupObjectClass=groupOfNames

ldapRealm.userSearchAttributeName = uid

ldapRealm.userSearchScope = subtree

ldapRealm.groupSearchScope = subtree

ldapRealm.userSearchFilter= (&(objectclass=*)(uid={0}))

ldapRealm.memberAttribute = member

ldapRealm.memberAttributeValueTemplate={0}

ldapRealm.rolesByGroup = "admin":admin_role

============

avatar
Contributor

Hi @scharan ,

you are using ldapRealm. There's no way to solve the issue using ActiveDirectoryRealm?

Thanks!

Jorge.

avatar
Master Collaborator

Hi @Jorge Florencio you can use ldap in place on adrealm, just need to change the Active Directory details to suit your AD environment.

Refer to this article: https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u...

avatar
Contributor

It worked using LDAP realm.

Thank you!