Which version of Zeppelin you're using? If it's 0.7, try 0.8 I remember seeing some issues were fixed in 0.8 and in master regarding this AD/LDAP groups...
-- Ruslan Dautkhanov On Mon, Jul 9, 2018 at 3:23 AM kolbertand...@gmail.com < kolbertand...@gmail.com> wrote: > Hi, > > We've been trying to add the right shiro configuration to ensure that a > specific AD group can only log in, and also differentiate roles. We got two > working solutions, but the first let's in everyone within the active > directory (but the roles work fine), the second does not let in everyone > but the roles do not work. > > 1) > This version works for the adding roles to the specific CNs but allows > everyone to login. > > activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm > activeDirectoryRealm.systemUsername = aduser > activeDirectoryRealm.hadoopSecurityCredentialPath = > jceks://file/user/zeppelin/conf/zeppelin.jceks > activeDirectoryRealm.searchBase = OU=User Accounts,DC=domain,DC=local > activeDirectoryRealm.url = ldap://AD.domain.local:389 > activeDirectoryRealm.groupRolesMap = "CN=admins,OU=User > Accounts,DC=domain,DC=local":"admin" > activeDirectoryRealm.authorizationCachingEnabled = false > activeDirectoryRealm.principalSuffix = @domain.local > securityManager.realms = $activeDirectoryRealm > > 2) > This version limits down the login to the specified AD group, but does not > associates roles with the group. > ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm > ldapADGCRealm.contextFactory.systemUsername = aduser@domain.local > ldapADGCRealm.hadoopSecurityCredentialPath = > jceks://file/user/zeppelin/conf/zeppelinldap.jceks > ldapADGCRealm.searchBase = "OU=User Accounts,DC=domain,DC=local" > ldapADGCRealm.userSearchBase = "OU=User Accounts,DC=domain,DC=local" > ldapADGCRealm.groupSearchBase = "OU=User Accounts,DC=domain,DC=local" > ldapADGCRealm.groupObjectClass = group > ldapADGCRealm.memberAttribute = memberUid > ldapADGCRealm.groupIdAttribute = cn > ldapADGCRealm.groupSearchEnableMatchingRuleInChain = true > ldapADGCRealm.rolesByGroup = users: admin > ldapADGCRealm.userSearchFilter = > (&(objectclass=user)(sAMAccountName={0})(memberOf=CN=users,OU=User > Accounts,DC=domain,DC=local)) > ldapADGCRealm.contextFactory.url = ldap://AD.domain.local:389 (edited) > > > > Related posts: > > https://community.hortonworks.com/questions/54896/zeppelin-ad-users-not-binded-to-groups.html > > https://community.hortonworks.com/questions/82135/how-to-limit-access-to-zeppelin-webui-based-for-sp.html > > Any ideas where we go wrong? > > Thanks, > Andras >
