Wow, we just setup ldaps today, good timing. First we got everything worked with just ldap (not secure). Then all we had to do was generate keys for the latest version of java we had installed:
openssl s_client -connect piq-corp-100.corp.placeiq.net:636 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt /usr/java/latest/bin/keytool -import -alias piq-corp-100.corp.placeiq.net -keystore /usr/java/latest/jre/lib/security/cacerts -file ./public.crt And then everything worked fine. I definitely didn’t touch zeppelin-site.xml. Here is our shiro.ini in case that helps. It is possible that we set up some additional conf elsewhere that would be relevant but I’m having trouble thinking of anything. [users] [main] [users] [main] #activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = our username activeDirectoryRealm.systemPassword = our password activeDirectoryRealm.searchBase = OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net activeDirectoryRealm.url = ldaps://corp.placeiq.net:636 activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security Infrastructure Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research & Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security Reporting & Analytics Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security Product Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data Operations Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops" activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @corp.placeiq.net sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realm = $activeDirectoryRealm [roles] data_science = data_science engineering = engineering infra = infra tech_heads = tech_heads reporting = reporting [urls] /api/version = anon /api/interpreter/** = roles[engineering],roles[infra],roles[tech_heads],roles[data_science] #/** = anon /** = authc http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/ Paul Brenner https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq DATA SCIENTIST (217) 390-3033 http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ On Tue, Apr 18, 2017 at 3:13 PM Knapp Michael < mailto:Knapp Michael <michael.kn...@capitalone.com> > wrote: a, pre, code, a:link, body { word-wrap: break-word !important; } <!-- /* Font Definitions */ @font-face {font-family:"Courier New"; panose-1:2 7 3 9 2 2 5 2 4 4;} @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:Calibri;} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; font-size:12.0pt; font-family:Calibri;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:Calibri; color:windowtext;} span.msoIns {mso-style-type:export-only; mso-style-name:""; text-decoration:underline; color:teal;} .MsoChpDefault {mso-style-type:export-only; font-family:Calibri;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:283461036; mso-list-type:hybrid; mso-list-template-ids:1297508538 -767670962 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;} @list l0:level1 {mso-level-start-at:0; mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol; mso-fareast-font-family:Calibri; mso-bidi-font-family:"Times New Roman";} @list l0:level2 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level3 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level4 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level5 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level6 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level7 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level8 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level9 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --> Hi, I have been struggling for weeks to get LDAP to work in Zeppelin now. Unfortunately for me, I cannot use websockets unless also using LDAP for authentication. So if I use the anonymous user, I just get a blank home page. Zeppelin leaves no configuration option to disable web sockets. My company has their own cert authority, which I have added to my trust store. When I try logging in to Zeppelin using my LDAP, I get “SunCertPathBuilderException: unable to find valid certification path to requested target”. I have attached the full stack trace. Note that I am using ldaps over 636. Basically it’s like saying that my trust store does not identify my LDAP server as a trusted web server. I am certain that my JKS file is configured right, I have had a co-worker double check it for me. To troubleshoot, we did: Export JAVA_OPTS=’-Djavax.net.debug=all’ Now we are seeing all of the SSL verbose logs in the zeppelin--…..out file. I was surprised to see this: … keyStore is : keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 trustStore is: /application/jdk1.8.0_101/jre/lib/security/cacerts trustStore type is : jks trustStore provider is : init truststore … So it looks like the application is not truly using the trust store I have configured. I have this in my zeppelin-site.xml: <property> <name>zeppelin.ssl.truststore.path</name> <value>/application/zeppelin/conf/zeppelin-truststore.jks</value> <description>Path to truststore relative to Zeppelin configuration directory. Defaults to the keystore path</description> </property> It seems to me like the key and trust store are not getting used to connect to the LDAP server. Other factors: · I am using a corporate proxy · I have dockerized Zeppelin Unrelated comments: · Every time I want to test a change in Zeppelin, the NPMInstaller wastes a minute of my life trying to download some files. It fails every time, and it prints a stack trace in my logs every time. I would like to disable it, but I looked through your code, there is no way to do it. Your code also does not provide any opportunity to configure a proxy, so there is no chance this would work for me. I am even thinking of making a pull request to fix this, it’s quite annoying. I don’t know why the authors assume that other people are ok with this pattern. · I am also getting an exception in the logs stating: No operation matching request path "/api/login;JSESSIONID=92e79cbe-9113-473d-b76a-165666c3f221" is found. Is this a bug in Zeppelin? Does anybody know why this is not working? Or how I can fix it? Michael Knapp The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
