GitHub user gss2002 opened a pull request:
https://github.com/apache/zeppelin/pull/1493
ZEPPELIN-1472 - Create new LdapRealm based on Apache Knox LdapRealm
### What is this PR for?
Provides LdapRealm Functionality similar to what Apache Knox provides. This
is critical as in large enterprise environments Active Directory Global
Catalogs are used for lookup with samAccountName and using a DN Template is not
an option as their are multiple OUs. Also searching on "userPrincipalName" is
risky in an AD environment since the explicit UPN vs Implicit UPN can be
different this is definitely the case with environments using Office 365. And
the LDAP userPrincipalName attribute is the explicit UPN which can be defined
by the directory administrator to any value and it can be duplicated.
SamAccountName is unique per domain and Microsoft states best practice is to
not allow duplicate samAccountName's across the forest.
Information about samAccountName and userPrincipalName with ActiveDirectory
http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores
https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/
### What type of PR is it?
Improvement
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-1472
### How should this be tested?
shiro.ini
[main]
ldapRealm = org.apache.zeppelin.server.LdapRealm
ldapRealm.contextFactory.systemUsername =
CN=hdpbind,OU=Svc,DC=exadc,DC=w2k,DC=example,DC=com
ldapRealm.contextFactory.systemPassword = ldapPassword
ldapRealm.searchBase = dc=w2k,dc=example,dc=com
ldapRealm.userSearchBase = dc=w2k,dc=example,dc=com
ldapRealm.groupSearchBase = dc=w2k,dc=example,dc=com
ldapRealm.contextFactory.url = ldap://exampledc1.exadc.w2k.example.com:3268
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.contextFactory.authenticationMechanism = simple
ldapRealm.userObjectClass = user
ldapRealm.groupObjectClass = group
ldapRealm.memberAttribute = member
securityManager.realms = $ldapRealm
### Questions:
* Does the licenses files need update? n
* Is there breaking changes for older versions? n
* Does this needs documentation? y
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gss2002/zeppelin master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1493.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1493
commit 4b5963a2019f1fded13e6ce9942033101ef2acf1
Author: Initial Commit
Date: 2016-10-07T00:55:42Z
ZEPPELIN-1472 - Create new LdapRealm based on Apache Knox LdapRealm
Class
In our environment we attempted to use the ActiveDirectoryGroupRealm and
the LdapGroupRealm but unfortunately those implementations against Shiro
do not support ADLDAP Global Catalog. Also searching on
"userPrincipalName" is risky in an AD environment since the explicit UPN
vs Implicit UPN can be different. And the LDAP userPrincipalName
attribute is the explicit UPN which can be defined by the directory
administrator to any value and it can be duplicated.. SamAccountName is
unique per domain and Microsoft states best practice is to not allow
duplicate samAccountName's per the forest. I have attached a
semi-working modified KnoxLdapRealm which works against samAccountName
and global catalog for auth.
http://windowsitpro.com/active-directory/q-does-samaccountname-object-have-be-unique-active-directory-domain-or-entire-fores
https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1/
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---