Github user rja1 commented on the issue: https://github.com/apache/zeppelin/pull/986 Thanks once again @prabhjyotsingh. I really appreciate your work. The activeDirectoryRealm.principalSuffix works now. I do have some concerns about the number of ldap calls made and the amount of data pulled back. It looks like the app: 1) makes ldap bindRequest as n...@mydomain.com and fails. 2) makes ldap bindRequest as usern...@mydomain.com and succeeds. 3) makes a bindRequest as activedirectoryrealm.systemusern...@mydomain.com and succeeds 4) does a searchRequest for the wholeSubTree Step 4 pulls back about 5mb of data, which is a lot. Could add quite a lot of load to AD, if lots of users are simultaneously using the UI... I can limit the result set by more fully qualifying the activeDirectoryRealm.searchBase, however, then it seems to miss the group data. Seems like there should really just be only be a couple lightweight calls. 1) bind the username 2) pull back the group memberships for username (if step one was a success). Not sure if there's a more concise way to make these queries in java. I can do it via command line the following way: ldapsearch -xLLL -h ldapServer -b "dc=company,dc=com" -D "CN=LDAP Bind,OU=Special,Accounts,DC=company,DC=com" -W uid=randerson. This returns everything about the uid: randerson, including all group memberships. The total size of the data is 60k... In addition, my groups / roles are still not mapped to my username, regardless of if the app searches the whole tree or not. I'm not sure why. Perhaps I've missed something along the way. Here's my shiro.ini: [main] activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = username activeDirectoryRealm.systemPassword = password activeDirectoryRealm.searchBase = dc=company,dc=com activeDirectoryRealm.url = ldap://server:389 activeDirectoryRealm.groupRolesMap = "cn=g.acl.ops.bigdata,ou=unix groups,ou=groups,ou=accounts,cn=users,dc=company,dc=com":"admin" activeDirectoryRealm.authorizationCachingEnabled=false activeDirectoryRealm.principalSuffix=@DOMAIN.COM shiro.loginUrl = /api/login sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [roles] admin = * [urls] /api/version = anon /** = authc
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---