Hi Eyal, I think this should be your seachbase:
ldapRealm.groupSearchBase = "OU=OpenstackGroups,DC=kenshooprd,DC=local" and you should comment ldapRealm.rolesByGroup = bigdata: admin On Mon, Oct 29, 2018 at 12:21 PM Eyal Hashai <eyal.has...@kenshoo.com> wrote: > > Hello, > I've connected my Zeppelin server via LDAP for user authentication. > This works fine for auth, the problem is that I can't figure how roles are > attached to a user, I need to set "bigdata" group as admins, > Over the past week I have tried many different configurations and searched > online for a solution without success. > > Does anyone have experience with this? > Any information or link would be highly appreciated! > > Thank you > > *shiro.ini:* > > ### A sample for configuring LDAP Directory Realm > ldapRealm = org.apache.zeppelin.realm.LdapRealm > ldapRealm.contextFactory.url = ldap://1.2.3.4:389 > ldapRealm.userDnTemplate = {0}@kenshooprd.local > ldapRealm.contextFactory.authenticationMechanism = simple > ldapRealm.contextFactory.systemUsername = "ldap@kenshooprd.local" > ldapRealm.contextFactory.systemPassword = XXXXXXX > ldapRealm.authorizationEnabled = true > ldapRealm.rolesByGroup = > "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin" > ldapRealm.rolesByGroup = bigdata: admin > ldapRealm.groupSearchBase = > "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local":"admin" > securityManager.realms = $ldapRealm > ldapRealm.groupSearchEnableMatchingRuleInChain = true > > > *Logs:* > > TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login} > ThreadContext.java[get]:126) - get() - in thread [qtp1418428263-15 - > /api/login] > TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login} > ThreadContext.java[get]:133) - Retrieved value of type > [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key > [org.apache.shiro.util.ThreadContext_SUBJECT_KEY] > bound to thread [qtp1418428263-15 - /api/login] > TRACE [2018-10-29 09:45:40,171] ({qtp1418428263-15 - /api/login} > DelegatingSubject.java[getSession]:317) - attempting to get session; create > = false; session is null = false; session has id = true > TRACE [2018-10-29 09:45:40,172] ({qtp1418428263-15 - /api/login} > AbstractValidatingSessionManager.java[doGetSession]:116) - Attempting to > retrieve session with key > org.apache.shiro.web.session.mgt.WebSessionKey@2573f425 > WARN [2018-10-29 09:45:40,175] ({qtp1418428263-15 - /api/login} > LoginRestApi.java[postLogin]:206) - > {"status":"OK","message":"","body":{"principal":"eyalh","ticket":"217d1409-f078-4424-bf8b-ccbef561d817", > "roles":"[]"}} > DEBUG [2018-10-29 09:45:40,177] ({qtp1418428263-15 - /api/login} > HttpConnection.java[process]:657) - > org.eclipse.jetty.server.HttpConnection$SendCallback@1e3b792a[PROCESSING][i=ResponseInfo{HTTP/1.1 > 200 OK,118,false},cb=org.eclipse.jetty > .server.HttpChannel$CommitCallback@1eabc124] generate: NEED_HEADER > (null,[p=0,l=118,c=8192,r=118],true)@START > DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} > Parser.java[parse]:257) - SERVER Parsed Frame: > TEXT[len=109,fin=true,rsv=...,masked=true] > > DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} > Parser.java[notifyFrame]:186) - SERVER Notify > ExtensionStack[queueSize=0,extensions=[],incoming=org.eclipse.jetty.websocket.common.WebSocketSession,outgoing=org.eclipse.jetty.websocket.server.WebSocketServerConnection] > DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} > AbstractEventDriver.java[incomingFrame]:103) - > incomingFrame(TEXT[len=109,fin=true,rsv=...,masked=true]) > DEBUG [2018-10-29 09:45:40,327] ({qtp1418428263-12} > NotebookServer.java[onMessage]:160) - RECEIVE << LIST_CONFIGURATIONS, > RECEIVE PRINCIPAL << eyalh, RECEIVE TICKET << > 217d1409-f078-4424-bf8b-ccbef561d817, *RECEIVE ROLES << []*, RECEIVE DATA > << null > TRACE [2018-10-29 09:45:40,328] ({qtp1418428263-12} > NotebookServer.java[onMessage]:167) - RECEIVE MSG = Message{data=null, > op=LIST_CONFIGURATIONS} > DEBUG [2018-10-29 09:45:40,335] ({qtp1418428263-12} > WebSocketRemoteEndpoint.java[sendString]:385) - sendString with > HeapByteBuffer@5710df12[p=0,l=6199,c=6199,r=6199]={<<<{\n "op": > "CONFIG... "roles": ""\n}>>>} > DEBUG [2018-10-29 09:45:40,337] ({qtp1418428263-12} > ExtensionStack.java[outgoingFrame]:288) - Queuing > TEXT[len=6199,fin=true,rsv=...,masked=false] > > > *LDAP settings for user:* > > [root@ecstgbhdp02-zeppelin conf]# ldapsearch -x -LLL -h 1.2.3.4 -D > ldap@kenshooprd.local -w xxxxx -b > "CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local" > dn: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local > objectClass: top > objectClass: group > cn: bigdata > member: CN=Eyal Hashai,CN=Users,DC=kenshooprd,DC=local > distinguishedName: CN=bigdata,OU=OpenstackGroups,DC=kenshooprd,DC=local > instanceType: 4 > whenCreated: 20161129171457.0Z > whenChanged: 20181004121722.0Z > uSNCreated: 93111898 > uSNChanged: 276782631 > name: bigdata > objectGUID:: bBMye2mox0+hDkddqds1+g== > objectSid:: AQUAAAAAAAUVAAAAMtw+IXjVu14XG9q7IEEAAA== > sAMAccountName: bigdata > sAMAccountType: 268435456 > groupType: -2147483646 > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=kenshooprd,DC=local > dSCorePropagationData: 20170723142935.0Z > dSCorePropagationData: 20170723142620.0Z > dSCorePropagationData: 16010101000417.0Z > > > > -- > > > *[ Eyal Hashai ]* > Database Administrator - Big Data Team // *Kenshoo* > *Office* +972 (3) 746-6500 x552 // *Mobile* +972 (50) 404-0473* > <eyal.has...@kenshoo.com>* > *eyal.has...@kenshoo.com <eyal.has...@kenshoo.com>* > <eyal.has...@kenshoo.com>* <eyal.has...@kenshoo.com>* > _______________________________________ > *www.Kenshoo.com* <http://kenshoo.com/> > > * <eyal.has...@kenshoo.com>* > <http://kenshoo.com/> > > This e-mail, as well as any attached document, may contain material which > is confidential and privileged and may include trademark, copyright and > other intellectual property rights that are proprietary to Kenshoo Ltd, > its subsidiaries or affiliates ("Kenshoo"). This e-mail and its > attachments may be read, copied and used only by the addressee for the > purpose(s) for which it was disclosed herein. If you have received it in > error, please destroy the message and any attachment, and contact us > immediately. If you are not the intended recipient, be aware that any > review, reliance, disclosure, copying, distribution or use of the contents > of this message without Kenshoo's express permission is strictly prohibited. -- Take Care Fawze Abujaber
