Unfortunately, none of these tickets seems to offer a solution. This post is pretty much related, and Predrag Minovic stated a solution but we could not get it working, yet. https://community.hortonworks.com/questions/109655/how-to-configure-groups-and-roles-mapping-using-ld.html
On Mon, 9 Jul 2018 at 17:42, Ruslan Dautkhanov <dautkha...@gmail.com> wrote: > These two committed fixes aren't in 0.8.0 > https://github.com/apache/zeppelin/pull/3045 > https://github.com/apache/zeppelin/pull/3037 > S > ee if one of them is relevant to your issue. > > > > -- > Ruslan Dautkhanov > > > On Mon, Jul 9, 2018 at 9:24 AM András Kolbert <kolbertand...@gmail.com> > wrote: > >> The latest, 0.8 >> >> On Mon, 9 Jul 2018, 17:21 Ruslan Dautkhanov, <dautkha...@gmail.com> >> wrote: >> >>> Which version of Zeppelin you're using? >>> If it's 0.7, try 0.8 I remember seeing some issues were fixed in 0.8 and >>> in master regarding this AD/LDAP groups... >>> >>> -- >>> Ruslan Dautkhanov >>> >>> >>> On Mon, Jul 9, 2018 at 3:23 AM kolbertand...@gmail.com < >>> kolbertand...@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> We've been trying to add the right shiro configuration to ensure that a >>>> specific AD group can only log in, and also differentiate roles. We got two >>>> working solutions, but the first let's in everyone within the active >>>> directory (but the roles work fine), the second does not let in everyone >>>> but the roles do not work. >>>> >>>> 1) >>>> This version works for the adding roles to the specific CNs but allows >>>> everyone to login. >>>> >>>> activeDirectoryRealm = >>>> org.apache.zeppelin.realm.ActiveDirectoryGroupRealm >>>> activeDirectoryRealm.systemUsername = aduser >>>> activeDirectoryRealm.hadoopSecurityCredentialPath = >>>> jceks://file/user/zeppelin/conf/zeppelin.jceks >>>> activeDirectoryRealm.searchBase = OU=User Accounts,DC=domain,DC=local >>>> activeDirectoryRealm.url = ldap://AD.domain.local:389 >>>> activeDirectoryRealm.groupRolesMap = "CN=admins,OU=User >>>> Accounts,DC=domain,DC=local":"admin" >>>> activeDirectoryRealm.authorizationCachingEnabled = false >>>> activeDirectoryRealm.principalSuffix = @domain.local >>>> securityManager.realms = $activeDirectoryRealm >>>> >>>> 2) >>>> This version limits down the login to the specified AD group, but does >>>> not associates roles with the group. >>>> ldapADGCRealm = org.apache.zeppelin.realm.LdapRealm >>>> ldapADGCRealm.contextFactory.systemUsername = aduser@domain.local >>>> ldapADGCRealm.hadoopSecurityCredentialPath = >>>> jceks://file/user/zeppelin/conf/zeppelinldap.jceks >>>> ldapADGCRealm.searchBase = "OU=User Accounts,DC=domain,DC=local" >>>> ldapADGCRealm.userSearchBase = "OU=User Accounts,DC=domain,DC=local" >>>> ldapADGCRealm.groupSearchBase = "OU=User Accounts,DC=domain,DC=local" >>>> ldapADGCRealm.groupObjectClass = group >>>> ldapADGCRealm.memberAttribute = memberUid >>>> ldapADGCRealm.groupIdAttribute = cn >>>> ldapADGCRealm.groupSearchEnableMatchingRuleInChain = true >>>> ldapADGCRealm.rolesByGroup = users: admin >>>> ldapADGCRealm.userSearchFilter = >>>> (&(objectclass=user)(sAMAccountName={0})(memberOf=CN=users,OU=User >>>> Accounts,DC=domain,DC=local)) >>>> ldapADGCRealm.contextFactory.url = ldap://AD.domain.local:389 (edited) >>>> >>>> >>>> >>>> Related posts: >>>> >>>> https://community.hortonworks.com/questions/54896/zeppelin-ad-users-not-binded-to-groups.html >>>> >>>> https://community.hortonworks.com/questions/82135/how-to-limit-access-to-zeppelin-webui-based-for-sp.html >>>> >>>> Any ideas where we go wrong? >>>> >>>> Thanks, >>>> Andras >>>> >>>
