subject:"\[GitHub\] zeppelin pull request #1493\: ZEPPELIN\-1472 \- Create new LdapRealm based on A..."

[GitHub] zeppelin pull request #1493: ZEPPELIN-1472 - Create new LdapRealm based on A...

2016-10-13 Thread gss2002

Github user gss2002 closed the pull request at:

https://github.com/apache/zeppelin/pull/1493


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #1493: ZEPPELIN-1472 - Create new LdapRealm based on A...

2016-10-06 Thread gss2002

GitHub user gss2002 opened a pull request:

https://github.com/apache/zeppelin/pull/1493

ZEPPELIN-1472 - Create new LdapRealm based on Apache Knox LdapRealm

### What is this PR for?
Provides LdapRealm Functionality similar to what Apache Knox provides. This 
is critical as in large enterprise environments Active Directory Global 
Catalogs are used for lookup with samAccountName and using a DN Template is not 
an option as their are multiple OUs. Also searching on "userPrincipalName" is 
risky in an AD environment since the explicit UPN vs Implicit UPN can be 
different this is definitely the case with environments using Office 365. And 
the LDAP userPrincipalName attribute is the explicit UPN which can be defined 
by the directory administrator to any value and it can be duplicated. 
SamAccountName is unique per domain and Microsoft states best practice is to 
not allow duplicate samAccountName's across the forest. 

Information about samAccountName and userPrincipalName with ActiveDirectory

http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores

https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/
 
### What type of PR is it?
Improvement

### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-1472

### How should this be tested?
shiro.ini
[main]
ldapRealm = org.apache.zeppelin.server.LdapRealm
ldapRealm.contextFactory.systemUsername = 
CN=hdpbind,OU=Svc,DC=exadc,DC=w2k,DC=example,DC=com
ldapRealm.contextFactory.systemPassword = ldapPassword
ldapRealm.searchBase = dc=w2k,dc=example,dc=com
ldapRealm.userSearchBase = dc=w2k,dc=example,dc=com
ldapRealm.groupSearchBase = dc=w2k,dc=example,dc=com
ldapRealm.contextFactory.url = ldap://exampledc1.exadc.w2k.example.com:3268
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.userObjectClass = user
ldapRealm.groupObjectClass = group
ldapRealm.memberAttribute = member
securityManager.realms = $ldapRealm


### Questions:
* Does the licenses files need update? n
* Is there breaking changes for older versions? n
* Does this needs documentation? y


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/gss2002/zeppelin master

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/1493.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1493


commit 4b5963a2019f1fded13e6ce9942033101ef2acf1
Author: Initial Commit 
Date:   2016-10-07T00:55:42Z

ZEPPELIN-1472 - Create new LdapRealm based on Apache Knox LdapRealm
Class

In our environment we attempted to use the ActiveDirectoryGroupRealm and
the LdapGroupRealm but unfortunately those implementations against Shiro
do not support ADLDAP Global Catalog. Also searching on
"userPrincipalName" is risky in an AD environment since the explicit UPN
vs Implicit UPN can be different. And the LDAP userPrincipalName
attribute is the explicit UPN which can be defined by the directory
administrator to any value and it can be duplicated.. SamAccountName is
unique per domain and Microsoft states best practice is to not allow
duplicate samAccountName's per the forest. I have attached a
semi-working modified KnoxLdapRealm which works against samAccountName
and global catalog for auth.

http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores

https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #1493: ZEPPELIN-1472 - Create new LdapRealm based on A...

[GitHub] zeppelin pull request #1493: ZEPPELIN-1472 - Create new LdapRealm based on A...

2 matches

Site Navigation

Mail list logo

Footer information