Github user ChrisMcVey commented on the issue:
https://github.com/apache/zeppelin/pull/986
FYI... I have been having similar issues and above and until reading this
thread in detail did I realize it is searching against userPrincipalName and
not sAMAccountName which is a better option.
Above it is mentioned the builtin user filter/subsearch is
"(&(objectClass=*)(userPrincipalName=user1))"
However, if a user ever runs ktpass on AD to export a keytab with a
different principal name, the userPrincipalName can end up differing from
sAMAccountName.
It does not make sense to authenticate users via sAMAccountName
successfully, then search for them again using a *different* AD property
userPrincipalName... especially when these can differ. userPrincipalName is
set for Kerberos which is not always gonna to be consistent with LDAP logins
which is what AD provider is doing.
Spent a lot of time scratching my head! Thanks for the detailed post above
about the search filter. I'm quite certain my case where sAMAccountName
differs from UPN is the exception to the rule but there is no reason not to
match these up just in case.
Best Regards
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
