I haven’t used any alternative tools for logging into ldap to test your settings but you could look into:
https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0xgWy8EHzEOx65D1XI6suxXIvRln6Y4KChBOA6f5TaIx8Eo3ONpQ6YsxWBhGECk= https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0xgWy8EHzEOx65D1XI6suxXIvRln6Y4KChBOA6f5TaIx8Eo3ONpQ6YsxWBhGECk= https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0xgWy8EHzEOx65D1XI6suxXIvRln6Y4KChBOA6f5TaIx8Eo3ONpQ6YsxWBhGECk= https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0wMI0poTi0mt9pD4VpesuhHH4EZn6IsFGwRCDLK3SSwhWAU7arJiRIzF0zrtDYHT3Cl_yamLbzshVmsJiNFq4mLGqm_r https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0wMI0poTi0mt9pD4VpesuhHH4EZn6IsFGwRCDLK3SSwhWAU7arJiRIzF0zrtDYHT3Cl_yamLbzshVmsJiNFq4mLGqm_r https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0wMI0poTi0mt9pD4VpesuhHH4EZn6IsFGwRCDLK3SSwhWAU7arJiRIzF0zrtDYHT3Cl_yamLbzshVmsJiNFq4mLGqm_r The fact that your system user is found about not your personal account makes me suspicious of searchBase and groupRolesMap. Do you have “activeDirectoryRealm.searchBase” and “activeDirectoryRealm.groupRolesMap” appropriately enabled to match what your ldap server expects? For our ldap setup we use: activeDirectoryRealm.searchBase = OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net I also included: activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":”data_science" [roles] data_science = data_science [urls] /api/interpreter/** = roles[data_science] /** = authc http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/ Paul Brenner https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq DATA SCIENTIST (217) 390-3033 http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ On Wed, Apr 19, 2017 at 1:20 PM Knapp Michael < mailto:Knapp Michael <michael.kn...@capitalone.com> > wrote: <![CDATA[a, pre, code, a:link, body { word-wrap: break-word !important; }]]> <![CDATA[<!-- /* Font Definitions */ @font-face {font-family:Arial; panose-1:2 11 6 4 2 2 2 2 2 4;} @font-face {font-family:"Courier New"; panose-1:2 7 3 9 2 2 5 2 4 4;} @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:-webkit-standard; panose-1:0 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Trebuchet MS"; panose-1:2 11 6 3 2 2 2 2 2 4;} @font-face {font-family:Georgia; panose-1:2 4 5 2 5 4 5 2 3 3;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} p {mso-style-priority:99; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman";} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} span.EmailStyle18 {mso-style-type:personal; font-family:Calibri; color:windowtext;} span.EmailStyle19 {mso-style-type:personal; font-family:Calibri; color:windowtext;} span.EmailStyle20 {mso-style-type:personal-compose; font-family:Calibri; color:windowtext;} span.msoIns {mso-style-type:export-only; mso-style-name:""; text-decoration:underline; color:teal;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:1229194548; mso-list-type:hybrid; mso-list-template-ids:165594268 -1371505708 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;} @list l0:level1 {mso-level-start-at:0; mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol; mso-fareast-font-family:Calibri; mso-bidi-font-family:"Times New Roman";} @list l0:level2 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level3 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level4 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level5 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level6 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level7 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level8 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level9 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} -->]]> My mac is configured to forbid installing software by unidentified developers. I cannot install jxplorer. Is there an alternative? The error is coming up when I try to login. I tried using the principalSuffix, it did not change things. I discovered a co-worker had LDAP working for a different LDAP server under different conditions. He told me that he is logging in as the system account from the UI, which I had never tried or thought of before. I was always using my personal username and password, and figured that the system account should just be used on the backend to interact with LDAP. Is that the expected way for things to work? Like the user should enter the system username and password on the front end instead of their own? Because I don’t think that will be an acceptable long term solution in my case. I also noticed that if I add “admin = *” to my roles section, that alone breaks the application, and I have no idea why. I’m having trouble finding documentation on what is expected in the roles section of the shiro file. When I did get it to work: · I was logging in as the system user on the front end. Any other user fails. · I did NOT have the principalSuffix defined, adding it seems to break things · I was able to use ldap or ldaps. From: Paul Brenner <pbren...@placeiq.com> Reply-To: "users@zeppelin.apache.org" <users@zeppelin.apache.org> Date: Wednesday, April 19, 2017 at 11:21 AM To: "Knapp, Michael" <michael.kn...@capitalone.com>, "users@zeppelin.apache.org" <users@zeppelin.apache.org> Cc: "Krishna, Krish" <krish.kris...@capitalone.com> Subject: Re: struggling with LDAP Have you tried downloading jxplorer ( https://share.polymail.io/v1/z/b/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhWsyhnPBuhOSlesqCbWa29gOfWIHfzMl_KkcEjTygnnHE5ULbT4hkfGCo3ldYc1D21y4gr8tQkiH0VV8v4hCOt8a1pJ5LlTVrS5NQBpf6Ba77K4yf_NGEYgtOuXJp-BP4pCf4FLNHEXgWptDxLkamTAE= ) and confirming that you can connect to the ldaps server with your credentials? Also, when is this error coming up, at start up or when you try to login through zeppelin? When I switched to ldap instead of logging in as pbrenner for my user I had to use pbren...@corp.placeiq.net. Had to add “activeDirectoryRealm.principalSuffix“ to shiro.ini to get around that. http://www.placeiq.com/ Paul Brenner https://twitter.com/placeiq https://www.facebook.com/PlaceIQ https://www.linkedin.com/company/placeiq DATA SCIENTIST (217) 390-3033 http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ On Wed, Apr 19, 2017 at 11:07 AM Knapp Michael < mailto:knapp%20michael%20%3cmichael.kn...@capitalone.com%3e > wrote: I think this got me one step closer. I was getting an exception stating there was no trusted path to the ldap server. Now I am getting the same exception as when I use non-secure LDAP, that I am “forbidden”. I am getting ldap error code 49, data 52e. From: Paul Brenner <pbren...@placeiq.com> Reply-To: "users@zeppelin.apache.org" <users@zeppelin.apache.org> Date: Tuesday, April 18, 2017 at 4:24 PM To: "Knapp, Michael" <michael.kn...@capitalone.com>, "users@zeppelin.apache.org" <users@zeppelin.apache.org> Cc: "Krishna, Krish" <krish.kris...@capitalone.com> Subject: struggling with LDAP BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
