GitHub user VipinRathor reopened a pull request: https://github.com/apache/zeppelin/pull/2414
[ZEPPELIN-2657] Add group search filter option to LdapRealm ### What is this PR for? Problem: While performing LDAP authentication, current Shiro module does a group=* search while trying to get group-to-role mapping for any LDAP user. On a large LDAP directory, this is a serious problem which might render RolesByGroup feature not working as expected. Fix: Currently while doing LDAP authentication, there is no available option to limit the group search results to the only groups that user is interested in. This bug addresses the same and adds group search filter to Shiro configuration for LdapRealm which will allow user to define a search filter and limit the group search results. ### What type of PR is it? Improvement ### What is the Jira issue? * [ZEPPELIN-2657] https://issues.apache.org/jira/browse/ZEPPELIN-2657 ### How should this be tested? 1. Use org.apache.zeppelin.realm.LdapRealm as Shiro realm 2. In the shiro_ini configruation, define a group search filter like this: ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(member={0})) or ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(cn=zeppelin-users*)) 3. Also define other LdapRealm parameters as necessary like rolesByGroup etc. 4. When an LDAP user, who is part of the group that matches filter above, logs in, then the roles are applied. If the LDAP user is not part these defined groups, then the roles are not applied. ### Questions: * Does the licenses files need update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? N/A You can merge this pull request into a Git repository by running: $ git pull https://github.com/VipinRathor/zeppelin ZEPPELIN-2657 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/2414.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2414 ---- commit ba0412c8bcc57dd8e8efb25419c151c6b699d74d Author: Vipin Rathor <v.rat...@gmail.com> Date: 2017-06-15T19:13:21Z ZEPPELIN-2657 Add group search filter option to LdapRealm This commit adds a new option to LdapReam to limit group search in LDAP. ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---