Hi There, I too had some difficulty trying to get this to work. I compared your config to ours, it all appears to be fine. Only thing I can see we have different which might affect it, is this section:
activeDirectoryRealm.searchBase = "OU=Zeppelin_Account,OU= Office,DC=dattabot,DC=io" Instead we have something similar to: activeDirectoryRealm.searchBase = DC=dattabot,DC=io ( I doubt the double quotes make any difference at all but that is how we have it ) Can you give that a try to see if it works? On Wed, Jul 12, 2017 at 10:54 AM, bembi prima <bembi.pr...@dattabot.io> wrote: > Hi, > > I manage to enable Active Directory by update shiro.ini > But there is issue coming from this. I cannot access interpreter, even no > one cannot access interpreter. > > This is my shiro.ini > > [users] > # List of users with their password allowed to access Zeppelin. > # To use a different strategy (LDAP / Database / ...) check the shiro doc > at > http://shiro.apache.org/configuration.html#Configuration-INISections > #bembi = password, admin > #prima = password, user > > # Sample LDAP configuration, for user Authentication, currently tested for > single Realm > [main] > ### A sample for configuring Active Directory Realm > activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm > activeDirectoryRealm.systemUsername = username > activeDirectoryRealm.systemPassword = password > activeDirectoryRealm.searchBase = > "OU=Zeppelin_Account,OU=Office,DC=dattabot,DC=io" > activeDirectoryRealm.url = ldap://1.2.3.4:389 > activeDirectoryRealm.groupRolesMap = > "CN=Zeppelin-Admin,OU=Zeppelin_Account,OU=Office,DC= > dattabot,DC=io":"admin","CN=Zeppelin-User,OU=Zeppelin_ > Account,OU=Office,DC=dattabot,DC=io":"user" > activeDirectoryRealm.authorizationCachingEnabled = false > activeDirectoryRealm.principalSuffix= @dattabot.io > securityManager.realms = $activeDirectoryRealm > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > > ### If caching of user is required then uncomment below lines > #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > #securityManager.cacheManager = $cacheManager > > securityManager.sessionManager = $sessionManager > # 86,400,000 milliseconds = 24 hour > securityManager.sessionManager.globalSessionTimeout = 86400000 > shiro.loginUrl = /api/login > > [roles] > admin = admin > user = user > > [urls] > # This section is used for url-based security. > # You can secure interpreter, configuration and credential information by > urls. Comment or uncomment the below urls that you want to hide. > # anon means the access is anonymous. > # authc means Form based Auth Security > # To enfore security, comment the line below and uncomment the next one > /api/version = anon > /api/interpreter/** = authc, roles[admin] > /api/configurations/** = authc, roles[admin] > /api/credential/** = authc, roles[admin] > #/** = anon > /** = authc > > When I investigate the log file, it seems that the roles does not mapped > correctly. This is log when I use static user : > INFO [2017-07-12 09:48:23,137] ({qtp1211076369-78} > NotebookServer.java[onOpen]:156) - New connection from 1.2.3.4 : 30380 > WARN [2017-07-12 09:48:30,167] ({qtp1211076369-90} > LoginRestApi.java[postLogin]:115) - > {"status":"OK","message":"","body":{"principal":"bembi"," > ticket":"9596dd7a-1f60-4c4f-a66a-040b4135f54f",*"roles":"[admin]"*}} > > And this is log when Active Directory is enabled: > INFO [2017-07-12 09:49:52,063] ({qtp1211076369-18} > NotebookServer.java[onOpen]:156) - New connection from 1.2.3.4 : 30389 > WARN [2017-07-12 09:50:02,717] ({qtp1211076369-14} > LoginRestApi.java[postLogin]:115) - > {"status":"OK","message":"","body":{"principal":"bembi. > prima","ticket":"0ec9a345-53a9-4220-bf5f-a68092cea673",*"roles":"[]"*}} > > > > > > > -- > View this message in context: http://apache-zeppelin-users- > incubating-mailing-list.75479.x6.nabble.com/Active- > Directory-do-not-mapped-roles-correctly-tp5989.html > Sent from the Apache Zeppelin Users (incubating) mailing list mailing list > archive at Nabble.com. >