Hi everyone, I'm experiencing exactly same problem with Zeppelin 0.6.0 It shiro plugin lets everyone in and it cannot be limited by searchbase. Here is an example of my config. In fact it lets everyone in from OU=Users.
[main] ### A sample for configuring Active Directory Realm activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = userNameA activeDirectoryRealm.systemPassword = passwordA activeDirectoryRealm.searchBase = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local" activeDirectoryRealm.principalSuffix = @companyname.local activeDirectoryRealm.url = ldap://ldap-server.local:389 activeDirectoryRealm.groupRolesMap = "CN=Notebook Owner,OU=Software Development,OU=Users,DC=companyname,DC=local":"admin" activeDirectoryRealm.authorizationCachingEnabled = false securityManager.realms = $activeDirectoryRealm sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login Could you please take care of this issue. We are seriously blocked by it, but really want to start using 0.6.0 Cheers Thanks Polina Marasanova ________________________________________ From: Weipu Zhao [zhaoweipu....@gmail.com] Sent: Sunday, 21 August 2016 4:37 AM To: d...@zeppelin.incubator.apache.org; us...@zeppelin.incubator.apache.org Subject: ActiveDirectoryGroupRealm.java allows user outside of searchBase to login Hi guys, When using org.apache.zeppelin.server.ActiveDirectoryGroupRealm as my shiro realm on v0.6.0, I have trouble understanding the searchBase config. My understanding was shiro should only allow user within that searchBase to login, but seems like not the case. When I trace the code of ActiveDirectoryGroupRealm.java, the only place searchBase was used is in method getRoleNamesForUser<https://github.com/apache/zeppelin/blob/v0.6.0/zeppelin-server/src/main/java/org/apache/zeppelin/server/ActiveDirectoryGroupRealm.java#L162> , if the user is not inside searchBase, a empty roleNames will be return and without any exception, thus the user will be login I guess? I'm not sure if this is expected behaviour or not. I also tried the v0.6.1 and seems also have same behaviour. In general I just want to restrict user only in certain groups of ActiveDirectory to be able to login. Is that possible without rewriting our own Realm? Thanks, Weipu
