I am trying to configure ldap authentication in Zeppelin notebook. I have specified ldap server and other configurations by following this link. However, when I try to login I got following error:
ERROR [2019-12-23 17:52:12,196] ({qtp1580893732-66} LoginRestApi.java[proceedToLogin]:172) - Exception in login:
org.apache.shiro.authc.AuthenticationException: Authentication failed for token submission [org.apache.shiro.authc.UsernamePasswordToken - user1, rememberMe=false]. Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214)
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.zeppelin.rest.LoginRestApi.proceedToLogin(LoginRestApi.java:140)
at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
org.apache.shiro.realm.ldap.DefaultLdapRealm.queryForAuthenticationInfo(DefaultLdapRealm.java:371)
at org.apache.zeppelin.realm.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:268)
at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:295)
at org.apache.zeppelin.realm.LdapRealm.doGetAuthenticationInfo(LdapRealm.java:217)
at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
... 78 more
WARN [2019-12-23 17:52:12,197] ({qtp1580893732-66} LoginRestApi.java[postLogin]:206) - {"status":"FORBIDDEN","message":"","body":""}
Here is the shiro.ini file
ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://10.16.0.113:389
ldapRealm.userDnTemplate=uid={0},ou=Users,dc=domain,dc=org,dc=com
# Ability to set ldap paging Size if needed default is 100
#ldapRealm.pagingSize = 200
#ldapRealm.authorizationEnabled=true
#ldapRealm.contextFactory.systemAuthenticationMechanism=simple
ldapRealm.searchBase=dc=domain,dc=org,dc=com
ldapRealm.userSearchBase=dc=domain,dc=org,dc=com
ldapRealm.groupSearchBase=ou=Users,dc=domain,dc=org,dc=com
ldapRealm.groupObjectClass=groupofnames
# Allow userSearchAttribute to be customized
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.memberAttribute=member
# force usernames returned from ldap to lowercase useful for AD
ldapRealm.userLowerCase = true
# ability set searchScopes subtree (default), one, base
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;
ldapRealm.memberAttributeValueTemplate=cn={0},ou=Users,dc=domain,dc=org,dc=com
ldapRealm.contextFactory.systemUsername=uid=domain\digital.banking,ou=Users,dc=domain,dc=org,dc=com
ldapRealm.contextFactory.systemPassword=Password1
securityManager.realms = $ldapRealm
Where am I going wrong. I need some assistance
I have followed documentation from Cloudera (Configuring Apache Zeppelin Security). It seems I had to use "ActiveDirectoryRealm" instead of "LDAPRealm" Added following configurations in shiro.ini and it was up and running:
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.url = ldap://address:389
activeDirectoryRealm.searchBase = DC=domain,DC=org,DC=com
activeDirectoryRealm.principalSuffix = @domain.org.com
securityManager.realms = $activeDirectoryRealm