Greg Senia created ZEPPELIN-1472:
------------------------------------
Summary: Create new LdapRealm based on Apache Knox LdapRealm Class
Key: ZEPPELIN-1472
URL: https://issues.apache.org/jira/browse/ZEPPELIN-1472
Project: Zeppelin
Issue Type: Improvement
Affects Versions: 0.6.1
Reporter: Greg Senia
Fix For: 0.7.0
In our environment we attempted to use the ActiveDirectoryGroupRealm and the
LdapGroupRealm but unfortunately those implementations against Shiro do not
support ADLDAP Global Catalog. Also searching on "userPrincipalName" is risky
in an AD environment since the explicit UPN vs Implicit UPN can be different.
And the LDAP userPrincipalName attribute is the explicit UPN which can be
defined by the directory administrator to any value and it can be duplicated..
SamAccountName is unique per domain and Microsoft states best practice is to
not allow duplicate samAccountName's per the forest. I have attached a
semi-working modified KnoxLdapRealm which works against samAccountName and
global catalog for auth.
http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores
https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
