Hi Paul, Knapp, Please don't mind update LDAP documentation if you would like to. That would save many people!
Documentation (published in zeppelin website) is also part of opensource and you can update them by making pull request. I think related file is https://github.com/apache/zeppelin/blob/master/docs/security/shiroauthentication.md#ldap . Let me know if you need help on making pull request. Thanks, moon On Thu, Apr 20, 2017 at 3:18 PM Knapp, Michael <michael.kn...@capitalone.com> wrote: > I finally got LDAP to work. This was one of the most difficult tasks I > have ever had. I spent about three weeks trying to make this work! > > > > One very hard lesson learned: LDAP/JNDI code will not use the truststore > that people pass into zeppelin-site.xml. It will only use the JRE’s > cacerts file. This cost me so much time, it should definitely be mentioned > in the Zeppelin documentation. > > > > I also think the documentation should offer more help on how to determine > what values you need in the shiro.ini file. I eventually figured out there > was a principalSuffix I needed to use, but the value was not my first guess > at all. Some guidance on how to use ldapsearch would save people weeks of > work here. > > > > Also the shiro logging is TERRIBLE! It offers almost no help when it > comes time to troubleshoot things and discover where it went wrong. This > is true even when it is set to trace. > > > > > > *From: *"Knapp, Michael" <michael.kn...@capitalone.com> > *Reply-To: *"users@zeppelin.apache.org" <users@zeppelin.apache.org> > *Date: *Wednesday, April 19, 2017 at 1:20 PM > *To: *"users@zeppelin.apache.org" <users@zeppelin.apache.org> > > > *Cc: *"Krishna, Krish" <krish.kris...@capitalone.com> > *Subject: *Re: struggling with LDAP > > > > My mac is configured to forbid installing software by unidentified > developers. I cannot install jxplorer. Is there an alternative? > > > > The error is coming up when I try to login. I tried using the > principalSuffix, it did not change things. > > > > I discovered a co-worker had LDAP working for a different LDAP server > under different conditions. He told me that he is logging in as the system > account from the UI, which I had never tried or thought of before. I was > always using my personal username and password, and figured that the system > account should just be used on the backend to interact with LDAP. > > > > Is that the expected way for things to work? Like the user should enter > the system username and password on the front end instead of their own? > Because I don’t think that will be an acceptable long term solution in my > case. > > > > I also noticed that if I add “admin = *” to my roles section, that alone > breaks the application, and I have no idea why. I’m having trouble finding > documentation on what is expected in the roles section of the shiro file. > > > > When I did get it to work: > > · I was logging in as the system user on the front end. Any > other user fails. > > · I did NOT have the principalSuffix defined, adding it seems to > break things > > · I was able to use ldap or ldaps. > > > > > > > > > > > > *From: *Paul Brenner <pbren...@placeiq.com> > *Reply-To: *"users@zeppelin.apache.org" <users@zeppelin.apache.org> > *Date: *Wednesday, April 19, 2017 at 11:21 AM > *To: *"Knapp, Michael" <michael.kn...@capitalone.com>, " > users@zeppelin.apache.org" <users@zeppelin.apache.org> > *Cc: *"Krishna, Krish" <krish.kris...@capitalone.com> > *Subject: *Re: struggling with LDAP > > > > [image: > ttps://share.polymail.io/v2/z/a/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhdMyhnPBuhOSlesqCbWa29gO] > > Have you tried downloading jxplorer (http://jxplorer.org/ > <https://share.polymail.io/v1/z/b/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhWsyhnPBuhOSlesqCbWa29gOfWIHfzMl_KkcEjTygnnHE5ULbT4hkfGCo3ldYc1D21y4gr8tQkiH0VV8v4hCOt8a1pJ5LlTVrS5NQBpf6Ba77K4yf_NGEYgtOuXJp-BP4pCf4FLNHEXgWptDxLkamTAE=>) > and confirming that you can connect to the ldaps server with your > credentials? > > > > Also, when is this error coming up, at start up or when you try to login > through zeppelin? When I switched to ldap instead of logging in as pbrenner > for my user I had to use pbren...@corp.placeiq.net. Had to add > “activeDirectoryRealm.principalSuffix“ to shiro.ini to get around that. > > *[image: > ttps://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za]* > <http://www.placeiq.com/> > > *Paul Brenner* > > *[image: > ttps://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68]* > <https://twitter.com/placeiq> > > *[image: > ttps://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1]* > <https://www.facebook.com/PlaceIQ> > > *[image: > ttps://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9Eu]* > <https://www.linkedin.com/company/placeiq> > > *DATA SCIENTIST* > > *(217) 390-3033 <(217)%20390-3033> * > > > [image: ceIQ:Location Data Accuracy] > <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/> > > > > On Wed, Apr 19, 2017 at 11:07 AM Knapp Michael <Knapp Michael > <knapp%20michael%20%3cmichael.kn...@capitalone.com%3e>> wrote: > > > I think this got me one step closer. I was getting an exception stating > there was no trusted path to the ldap server. Now I am getting the same > exception as when I use non-secure LDAP, that I am “forbidden”. I am > getting ldap error code 49, data 52e. > > > > From: Paul Brenner <pbren...@placeiq.com> > *Reply-To: *"users@zeppelin.apache.org" <users@zeppelin.apache.org> > *Date: *Tuesday, April 18, 2017 at 4:24 PM > *To: *"Knapp, Michael" <michael.kn...@capitalone.com>, " > users@zeppelin.apache.org" <users@zeppelin.apache.org> > *Cc: *"Krishna, Krish" <krish.kris...@capitalone.com> > *Subject: *struggling with LDAP > > > > BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt > > > ------------------------------ > > The information contained in this e-mail is confidential and/or > proprietary to Capital One and/or its affiliates and may only be used > solely in performance of work or services for Capital One. The information > transmitted herewith is intended only for use by the individual or entity > to which it is addressed. If the reader of this message is not the intended > recipient, you are hereby notified that any review, retransmission, > dissemination, distribution, copying or other use of, or taking of any > action in reliance upon this information is strictly prohibited. If you > have received this communication in error, please contact the sender and > delete the material from your computer. > > > ------------------------------ > > The information contained in this e-mail is confidential and/or > proprietary to Capital One and/or its affiliates and may only be used > solely in performance of work or services for Capital One. The information > transmitted herewith is intended only for use by the individual or entity > to which it is addressed. If the reader of this message is not the intended > recipient, you are hereby notified that any review, retransmission, > dissemination, distribution, copying or other use of, or taking of any > action in reliance upon this information is strictly prohibited. If you > have received this communication in error, please contact the sender and > delete the material from your computer. > > ------------------------------ > > The information contained in this e-mail is confidential and/or > proprietary to Capital One and/or its affiliates and may only be used > solely in performance of work or services for Capital One. The information > transmitted herewith is intended only for use by the individual or entity > to which it is addressed. If the reader of this message is not the intended > recipient, you are hereby notified that any review, retransmission, > dissemination, distribution, copying or other use of, or taking of any > action in reliance upon this information is strictly prohibited. If you > have received this communication in error, please contact the sender and > delete the material from your computer. >
