Hey all,
I'm trying to configure Zeppelin via LDAP-Auth (against Windows-AD) using
Appache-Shiro and restrict login to a specific set of groups.
Zeppelin-Version is 0.11.1
(I manually anonymized the below, there might be c&p-errors, but the probelm
statement should be clear)
LDAP-Config is:
ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername=CN=admin,OU=users,DC=example,DC=com
ldapRealm.contextFactory.systemPassword=verrysecret
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldaps://example.com:636
ldapRealm.pagingSize=200
ldapRealm.authorizationEnabled=true
ldapRealm.searchBase=DC=example,DC=com
ldapRealm.userSearchBase=DC=example,DC=com
ldapRealm.groupSearchBase=DC=example,DC=com
ldapRealm.userObjectClass=user
ldapRealm.groupObjectClass=group
ldapRealm.userSearchAttributeName=sAMAccountName
ldapRealm.userSearchScope=subtree
ldapRealm.groupSearchScope=subtree
ldapRealm.userSearchFilter=(&(objectclass=user)(sAMAccountName={0}))
ldapRealm.groupSearchFilter=(&(objectclass=group)(member={0}))
ldapRealm.memberAttribute=memberOf
ldapRealm.rolesByGroup=groupToMatch : admin
ldapRealm.allowedRolesForAuthentication=admin
ldapRealm.userLowerCase=true
ldapRealm.groupSearchEnableMatchingRuleInChain=false
I turned on debug-log and it seems the user groups can't be found:
DEBUG [2024-12-21 10:16:42,256] ({qtp262366552-64}
DefaultLdapRealm.java[queryForAuthenticationInfo]:369) - Authenticating user
'johndoe' through LDAP
DEBUG [2024-12-21 10:16:42,297] ({qtp262366552-64}
LdapRealm.java[getUserDn]:915) - SearchBase,SearchFilter,UserSearchScope:
DC=example,DC=com,(&(objectclass=user)(sAMAccountName=johndoe)),subtree
DEBUG [2024-12-21 10:16:42,303] ({qtp262366552-64}
LdapRealm.java[getUserDn]:921) - UserDN Returned,Principal:
CN=johndoe,OU=users,DC=example,DC=com,johndoe
DEBUG [2024-12-21 10:16:42,375] ({qtp262366552-64}
LdapRealm.java[rolesFor]:338) - userLowerCase true
DEBUG [2024-12-21 10:16:42,403] ({qtp262366552-64}
LdapRealm.java[getUserDn]:915) - SearchBase,SearchFilter,UserSearchScope:
DC=example,DC=com,(&(objectclass=user)(sAMAccountName=johndoe)),subtree
DEBUG [2024-12-21 10:16:42,303] ({qtp262366552-64}
LdapRealm.java[getUserDn]:921) - UserDN Returned,Principal:
CN=johndoe,OU=users,DC=example,DC=com,johndoe
DEBUG [2024-12-21 10:16:42,408] ({qtp262366552-64}
LdapRealm.java[rolesFor]:348) - Ldap PagingSize: 200
DEBUG [2024-12-21 10:16:42,409] ({qtp262366552-64}
LdapRealm.java[rolesFor]:392) - Group SearchBase|SearchFilter|GroupSearchScope:
DC=example,DC=com|(&(objectclass=group)(member=johndoe))|subtree
DEBUG [2024-12-21 10:16:42,412] ({qtp262366552-64}
LdapRealm.java[rolesFor]:427) - User RoleNames: johndoe::[]
Ending up in
Caused by: javax.naming.NamingException: Principal does not have any of the
allowedRolesForAuthentication
LDAP-Auth seems to work in the first place, if I turn of
"ldapRealm.allowedRolesForAuthentication" I'm able to login with any AD-User.
I've also tested the ldap-search-filter from the above log (empty result):
ldapsearch -o ldif-wrap=no -x -LLL -H ldaps://example.com:636 -D
"CN=admin,OU=users,DC=example,DC=com" -W -b "dc=example,dc=com" -s sub
'(&(objectclass=group)(member=CN=johndoe))"
But if I use the users full-dn, I get all groups the users in and there members:
ldapsearch -o ldif-wrap=no -x -LLL -H ldaps://example.com:636 -D
"CN=admin,OU=users,DC=example,DC=com" -W -b "dc=example,dc=com" -s sub
'(&(objectclass=group)(member=CN=johndoe=OU=users,DC=example,DC=com))"
I've also tested to omit the "ldapRealm.groupSearchFilter", still no luck.
Any help is appreciated!
Jonathan
