I finally got LDAP to work. This was one of the most difficult tasks I have ever had. I spent about three weeks trying to make this work!
One very hard lesson learned: LDAP/JNDI code will not use the truststore that people pass into zeppelin-site.xml. It will only use the JRE’s cacerts file. This cost me so much time, it should definitely be mentioned in the Zeppelin documentation. I also think the documentation should offer more help on how to determine what values you need in the shiro.ini file. I eventually figured out there was a principalSuffix I needed to use, but the value was not my first guess at all. Some guidance on how to use ldapsearch would save people weeks of work here. Also the shiro logging is TERRIBLE! It offers almost no help when it comes time to troubleshoot things and discover where it went wrong. This is true even when it is set to trace. From: "Knapp, Michael" <michael.kn...@capitalone.com> Reply-To: "users@zeppelin.apache.org" <users@zeppelin.apache.org> Date: Wednesday, April 19, 2017 at 1:20 PM To: "users@zeppelin.apache.org" <users@zeppelin.apache.org> Cc: "Krishna, Krish" <krish.kris...@capitalone.com> Subject: Re: struggling with LDAP My mac is configured to forbid installing software by unidentified developers. I cannot install jxplorer. Is there an alternative? The error is coming up when I try to login. I tried using the principalSuffix, it did not change things. I discovered a co-worker had LDAP working for a different LDAP server under different conditions. He told me that he is logging in as the system account from the UI, which I had never tried or thought of before. I was always using my personal username and password, and figured that the system account should just be used on the backend to interact with LDAP. Is that the expected way for things to work? Like the user should enter the system username and password on the front end instead of their own? Because I don’t think that will be an acceptable long term solution in my case. I also noticed that if I add “admin = *” to my roles section, that alone breaks the application, and I have no idea why. I’m having trouble finding documentation on what is expected in the roles section of the shiro file. When I did get it to work: · I was logging in as the system user on the front end. Any other user fails. · I did NOT have the principalSuffix defined, adding it seems to break things · I was able to use ldap or ldaps. From: Paul Brenner <pbren...@placeiq.com> Reply-To: "users@zeppelin.apache.org" <users@zeppelin.apache.org> Date: Wednesday, April 19, 2017 at 11:21 AM To: "Knapp, Michael" <michael.kn...@capitalone.com>, "users@zeppelin.apache.org" <users@zeppelin.apache.org> Cc: "Krishna, Krish" <krish.kris...@capitalone.com> Subject: Re: struggling with LDAP [ttps://share.polymail.io/v2/z/a/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhdMyhnPBuhOSlesqCbWa29gO] Have you tried downloading jxplorer (http://jxplorer.org/<https://share.polymail.io/v1/z/b/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhWsyhnPBuhOSlesqCbWa29gOfWIHfzMl_KkcEjTygnnHE5ULbT4hkfGCo3ldYc1D21y4gr8tQkiH0VV8v4hCOt8a1pJ5LlTVrS5NQBpf6Ba77K4yf_NGEYgtOuXJp-BP4pCf4FLNHEXgWptDxLkamTAE=>) and confirming that you can connect to the ldaps server with your credentials? Also, when is this error coming up, at start up or when you try to login through zeppelin? When I switched to ldap instead of logging in as pbrenner for my user I had to use pbren...@corp.placeiq.net. Had to add “activeDirectoryRealm.principalSuffix“ to shiro.ini to get around that. [ttps://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za]<http://www.placeiq.com/> Paul Brenner [ttps://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68]<https://twitter.com/placeiq> [ttps://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1]<https://www.facebook.com/PlaceIQ> [ttps://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9Eu]<https://www.linkedin.com/company/placeiq> DATA SCIENTIST (217) 390-3033 [ceIQ:Location Data Accuracy]<http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/> On Wed, Apr 19, 2017 at 11:07 AM Knapp Michael <Knapp Michael <mailto:knapp%20michael%20%3cmichael.kn...@capitalone.com%3e> > wrote: I think this got me one step closer. I was getting an exception stating there was no trusted path to the ldap server. Now I am getting the same exception as when I use non-secure LDAP, that I am “forbidden”. I am getting ldap error code 49, data 52e. From: Paul Brenner <pbren...@placeiq.com> Reply-To: "users@zeppelin.apache.org" <users@zeppelin.apache.org> Date: Tuesday, April 18, 2017 at 4:24 PM To: "Knapp, Michael" <michael.kn...@capitalone.com>, "users@zeppelin.apache.org" <users@zeppelin.apache.org> Cc: "Krishna, Krish" <krish.kris...@capitalone.com> Subject: struggling with LDAP BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt ________________________________ The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. ________________________________ The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. ________________________________________________________ The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
