GitHub user gss2002 opened a pull request: https://github.com/apache/zeppelin/pull/1493
ZEPPELIN-1472 - Create new LdapRealm based on Apache Knox LdapRealm ### What is this PR for? Provides LdapRealm Functionality similar to what Apache Knox provides. This is critical as in large enterprise environments Active Directory Global Catalogs are used for lookup with samAccountName and using a DN Template is not an option as their are multiple OUs. Also searching on "userPrincipalName" is risky in an AD environment since the explicit UPN vs Implicit UPN can be different this is definitely the case with environments using Office 365. And the LDAP userPrincipalName attribute is the explicit UPN which can be defined by the directory administrator to any value and it can be duplicated. SamAccountName is unique per domain and Microsoft states best practice is to not allow duplicate samAccountName's across the forest. Information about samAccountName and userPrincipalName with ActiveDirectory http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/ ### What type of PR is it? Improvement ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-1472 ### How should this be tested? shiro.ini [main] ldapRealm = org.apache.zeppelin.server.LdapRealm ldapRealm.contextFactory.systemUsername = CN=hdpbind,OU=Svc,DC=exadc,DC=w2k,DC=example,DC=com ldapRealm.contextFactory.systemPassword = ldapPassword ldapRealm.searchBase = dc=w2k,dc=example,dc=com ldapRealm.userSearchBase = dc=w2k,dc=example,dc=com ldapRealm.groupSearchBase = dc=w2k,dc=example,dc=com ldapRealm.contextFactory.url = ldap://exampledc1.exadc.w2k.example.com:3268 ldapRealm.userSearchAttributeName = sAMAccountName ldapRealm.contextFactory.authenticationMechanism = simple ldapRealm.userObjectClass = user ldapRealm.groupObjectClass = group ldapRealm.memberAttribute = member securityManager.realms = $ldapRealm ### Questions: * Does the licenses files need update? n * Is there breaking changes for older versions? n * Does this needs documentation? y You can merge this pull request into a Git repository by running: $ git pull https://github.com/gss2002/zeppelin master Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1493.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1493 ---- commit 4b5963a2019f1fded13e6ce9942033101ef2acf1 Author: Initial Commit <gse...@apache.org> Date: 2016-10-07T00:55:42Z ZEPPELIN-1472 - Create new LdapRealm based on Apache Knox LdapRealm Class In our environment we attempted to use the ActiveDirectoryGroupRealm and the LdapGroupRealm but unfortunately those implementations against Shiro do not support ADLDAP Global Catalog. Also searching on "userPrincipalName" is risky in an AD environment since the explicit UPN vs Implicit UPN can be different. And the LDAP userPrincipalName attribute is the explicit UPN which can be defined by the directory administrator to any value and it can be duplicated.. SamAccountName is unique per domain and Microsoft states best practice is to not allow duplicate samAccountName's per the forest. I have attached a semi-working modified KnoxLdapRealm which works against samAccountName and global catalog for auth. http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/ ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---