Zeppelin Shiro LDAP Configuration

Question

I am attempting to restrict access to zeppelin based on an AD group or organizational unit. However, I am unsuccessful with my configuration.

I have an active directory implemented using Simple AD in AWS and the domain is called corp.example.com

I created three users, two groups, one organizational unit.

The groups are called Access and NoAccess The users are called AccessUser1, NoAccessUser1, AccessOrgUser1 The organizational unit is called AccessOrg

AccessUser1 is a memberOf Access NoAccessUser1 is a memberOf NoAccess AccessOrgUser1 is created under the OU AccessOrg

I am able to log in using any user with the following configuration:

### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
ldapRealm.contextFactory.url = ldap://<UrlHere>
ldapRealm.contextFactory.authenticationMechanism = simple

I am unable to log in using any user with the following configuration:

### A sample for configuring LDAP Directory Realm
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
ldapRealm.contextFactory.environment[ldap.searchBase] = ou=Users,dc=CORP,dc=EXAMPLE,dc=COM
ldapRealm.contextFactory.url = ldap://<UrlHere>
ldapRealm.userDnTemplate = uid={0},ou=Users,dc=CORP,dc=EXAMPLE,dc=COM
ldapRealm.contextFactory.authenticationMechanism = simple

Answer 1

You do not need to configure [users] or [roles] as those are for basic authentication.

You will need to configure the activedirectoryrealm options and the ldaprealm options. (referring to: https://zeppelin.apache.org/docs/0.6.2/security/shiroauthentication.html#5-groups-and-permissions-optional )

Change

uid={0},ou=Users,dc=CORP,dc=EXAMPLE,dc=COM

to

CN={0},ou=Users,dc=CORP,dc=EXAMPLE,dc=COM

You will also need to populate activeDirectoryRealm.systemUsername and activeDirectoryRealm.systemPassword .

This will allow you to designate groups from your AD that can login.