Github user rja1 commented on the issue:
https://github.com/apache/zeppelin/pull/986
Thanks once again @prabhjyotsingh. I really appreciate your work. The
activeDirectoryRealm.principalSuffix works now. I do have some concerns about
the number of ldap calls made and the amount of data pulled back.
It looks like the app:
1) makes ldap bindRequest as n...@mydomain.com and fails.
2) makes ldap bindRequest as usern...@mydomain.com and succeeds.
3) makes a bindRequest as activedirectoryrealm.systemusern...@mydomain.com
and succeeds
4) does a searchRequest for the wholeSubTree
Step 4 pulls back about 5mb of data, which is a lot. Could add quite a lot
of load to AD, if lots of users are simultaneously using the UI... I can limit
the result set by more fully qualifying the activeDirectoryRealm.searchBase,
however, then it seems to miss the group data. Seems like there should really
just be only be a couple lightweight calls.
1) bind the username
2) pull back the group memberships for username (if step one was a success).
Not sure if there's a more concise way to make these queries in java. I
can do it via command line the following way: ldapsearch -xLLL -h ldapServer -b
"dc=company,dc=com" -D "CN=LDAP Bind,OU=Special,Accounts,DC=company,DC=com" -W
uid=randerson. This returns everything about the uid: randerson, including all
group memberships. The total size of the data is 60k...
In addition, my groups / roles are still not mapped to my username,
regardless of if the app searches the whole tree or not. I'm not sure why.
Perhaps I've missed something along the way.
Here's my shiro.ini:
[main]
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
activeDirectoryRealm.systemUsername = username
activeDirectoryRealm.systemPassword = password
activeDirectoryRealm.searchBase = dc=company,dc=com
activeDirectoryRealm.url = ldap://server:389
activeDirectoryRealm.groupRolesMap = "cn=g.acl.ops.bigdata,ou=unix
groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin"
activeDirectoryRealm.authorizationCachingEnabled=false
activeDirectoryRealm.principalSuffix=@DOMAIN.COM
shiro.loginUrl = /api/login
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
admin = *
[urls]
/api/version = anon
/** = authc
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
