The latest, 0.8 On Mon, 9 Jul 2018, 17:21 Ruslan Dautkhanov, <dautkha...@gmail.com> wrote:
> Which version of Zeppelin you're using? > If it's 0.7, try 0.8 I remember seeing some issues were fixed in 0.8 and > in master regarding this AD/LDAP groups... > > -- > Ruslan Dautkhanov > > > On Mon, Jul 9, 2018 at 3:23 AM kolbertand...@gmail.com < > kolbertand...@gmail.com> wrote: > >> Hi, >> >> We've been trying to add the right shiro configuration to ensure that a >> specific AD group can only log in, and also differentiate roles. We got two >> working solutions, but the first let's in everyone within the active >> directory (but the roles work fine), the second does not let in everyone >> but the roles do not work. >> >> 1) >> This version works for the adding roles to the specific CNs but allows >> everyone to login. >> >> activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm >> activeDirectoryRealm.systemUsername = aduser >> activeDirectoryRealm.hadoopSecurityCredentialPath = >> jceks://file/user/zeppelin/conf/zeppelin.jceks >> activeDirectoryRealm.searchBase = OU=User Accounts,DC=domain,DC=local >> activeDirectoryRealm.url = ldap://AD.domain.local:389 >> activeDirectoryRealm.groupRolesMap = "CN=admins,OU=User >> Accounts,DC=domain,DC=local":"admin" >> activeDirectoryRealm.authorizationCachingEnabled = false >> activeDirectoryRealm.principalSuffix = @domain.local >> securityManager.realms = $activeDirectoryRealm >> >> 2) >> This version limits down the login to the specified AD group, but does >> not associates roles with the group. >> ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm >> ldapADGCRealm.contextFactory.systemUsername = aduser@domain.local >> ldapADGCRealm.hadoopSecurityCredentialPath = >> jceks://file/user/zeppelin/conf/zeppelinldap.jceks >> ldapADGCRealm.searchBase = "OU=User Accounts,DC=domain,DC=local" >> ldapADGCRealm.userSearchBase = "OU=User Accounts,DC=domain,DC=local" >> ldapADGCRealm.groupSearchBase = "OU=User Accounts,DC=domain,DC=local" >> ldapADGCRealm.groupObjectClass = group >> ldapADGCRealm.memberAttribute = memberUid >> ldapADGCRealm.groupIdAttribute = cn >> ldapADGCRealm.groupSearchEnableMatchingRuleInChain = true >> ldapADGCRealm.rolesByGroup = users: admin >> ldapADGCRealm.userSearchFilter = >> (&(objectclass=user)(sAMAccountName={0})(memberOf=CN=users,OU=User >> Accounts,DC=domain,DC=local)) >> ldapADGCRealm.contextFactory.url = ldap://AD.domain.local:389 (edited) >> >> >> >> Related posts: >> >> https://community.hortonworks.com/questions/54896/zeppelin-ad-users-not-binded-to-groups.html >> >> https://community.hortonworks.com/questions/82135/how-to-limit-access-to-zeppelin-webui-based-for-sp.html >> >> Any ideas where we go wrong? >> >> Thanks, >> Andras >> >
