You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by "Knapp, Michael" <Mi...@capitalone.com> on 2017/04/18 19:13:31 UTC

struggling with LDAP

Hi,

I have been struggling for weeks to get LDAP to work in Zeppelin now.  Unfortunately for me, I cannot use websockets unless also using LDAP for authentication.  So if I use the anonymous user, I just get a blank home page.  Zeppelin leaves no configuration option to disable web sockets.  My company has their own cert authority, which I have added to my trust store.

When I try logging in to Zeppelin using my LDAP, I get “SunCertPathBuilderException: unable to find valid certification path to requested target”.  I have attached the full stack trace.  Note that I am using ldaps over 636.  Basically it’s like saying that my trust store does not identify my LDAP server as a trusted web server.  I am certain that my JKS file is configured right, I have had a co-worker double check it for me.

To troubleshoot, we did:
Export JAVA_OPTS=’-Djavax.net.debug=all’

Now we are seeing all of the SSL verbose logs in the zeppelin--…..out file.

I was surprised to see this:
…
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /application/jdk1.8.0_101/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
…

So it looks like the application is not truly using the trust store I have configured. I have this in my zeppelin-site.xml:

    <property>
        <name>zeppelin.ssl.truststore.path</name>
        <value>/application/zeppelin/conf/zeppelin-truststore.jks</value>
        <description>Path to truststore relative to Zeppelin configuration directory. Defaults to the keystore path</description>
    </property>

It seems to me like the key and trust store are not getting used to connect to the LDAP server.

Other factors:

·         I am using a corporate proxy

·         I have dockerized Zeppelin

Unrelated comments:

·         Every time I want to test a change in Zeppelin, the NPMInstaller wastes a minute of my life trying to download some files.  It fails every time, and it prints a stack trace in my logs every time.  I would like to disable it, but I looked through your code, there is no way to do it.  Your code also does not provide any opportunity to configure a proxy, so there is no chance this would work for me.  I am even thinking of making a pull request to fix this, it’s quite annoying.  I don’t know why the authors assume that other people are ok with this pattern.

·         I am also getting an exception in the logs stating: No operation matching request path "/api/login;JSESSIONID=92e79cbe-9113-473d-b76a-165666c3f221" is found.  Is this a bug in Zeppelin?


Does anybody know why this is not working?  Or how I can fix it?

Michael Knapp
________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

Re: struggling with LDAP

Posted by Paul Brenner <pb...@placeiq.com>.
I haven’t used any alternative tools for logging into ldap to test your settings but you could look into:

https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0xgWy8EHzEOx65D1XI6suxXIvRln6Y4KChBOA6f5TaIx8Eo3ONpQ6YsxWBhGECk=

https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0xgWy8EHzEOx65D1XI6suxXIvRln6Y4KChBOA6f5TaIx8Eo3ONpQ6YsxWBhGECk=

https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0xgWy8EHzEOx65D1XI6suxXIvRln6Y4KChBOA6f5TaIx8Eo3ONpQ6YsxWBhGECk=

https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0wMI0poTi0mt9pD4VpesuhHH4EZn6IsFGwRCDLK3SSwhWAU7arJiRIzF0zrtDYHT3Cl_yamLbzshVmsJiNFq4mLGqm_r

https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0wMI0poTi0mt9pD4VpesuhHH4EZn6IsFGwRCDLK3SSwhWAU7arJiRIzF0zrtDYHT3Cl_yamLbzshVmsJiNFq4mLGqm_r

https://share.polymail.io/v1/z/b/NThmN2ExZTk4NzM5/eIaecXfqzpvgJ4U4_otah9F6ocoNBr72ckozDNQV-5XVR4yWlzdcZx-ID2qZ1ad9vwYQJNTeWw4wPfcNe_zQzAMeavly76koV3RmZZnJ0JDjxO-2APSYgNnQMEsjvEAr16xkhyYzdcu-BxaX0wMI0poTi0mt9pD4VpesuhHH4EZn6IsFGwRCDLK3SSwhWAU7arJiRIzF0zrtDYHT3Cl_yamLbzshVmsJiNFq4mLGqm_r

The fact that your system user is found about not your personal account makes me suspicious of searchBase and groupRolesMap. 

Do you have “activeDirectoryRealm.searchBase” and “activeDirectoryRealm.groupRolesMap” appropriately enabled to match what your ldap server expects? 

For our ldap setup we use:

activeDirectoryRealm.searchBase = OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net

I also included:

activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":”data_science"

[roles]

data_science = data_science

[urls]

/api/interpreter/** = roles[data_science]

/** = authc 

http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/

Paul Brenner

https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq
https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ
https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq

DATA SCIENTIST

(217) 390-3033 

 

http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/

On Wed, Apr 19, 2017 at 1:20 PM Knapp Michael

<
mailto:Knapp Michael <Mi...@capitalone.com>
> wrote:

<![CDATA[a, pre, code, a:link, body { word-wrap: break-word !important; }]]>

<![CDATA[<!-- /* Font Definitions */ @font-face {font-family:Arial; panose-1:2 11 6 4 2 2 2 2 2 4;} @font-face {font-family:"Courier New"; panose-1:2 7 3 9 2 2 5 2 4 4;} @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:-webkit-standard; panose-1:0 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Trebuchet MS"; panose-1:2 11 6 3 2 2 2 2 2 4;} @font-face {font-family:Georgia; panose-1:2 4 5 2 5 4 5 2 3 3;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} p {mso-style-priority:99; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman";} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} span.EmailStyle18 {mso-style-type:personal; font-family:Calibri; color:windowtext;} span.EmailStyle19 {mso-style-type:personal; font-family:Calibri; color:windowtext;} span.EmailStyle20 {mso-style-type:personal-compose; font-family:Calibri; color:windowtext;} span.msoIns {mso-style-type:export-only; mso-style-name:""; text-decoration:underline; color:teal;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:1229194548; mso-list-type:hybrid; mso-list-template-ids:165594268 -1371505708 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;} @list l0:level1 {mso-level-start-at:0; mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol; mso-fareast-font-family:Calibri; mso-bidi-font-family:"Times New Roman";} @list l0:level2 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level3 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level4 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level5 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level6 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level7 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level8 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level9 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} -->]]>

My mac is configured to forbid installing software by unidentified developers.  I cannot install jxplorer.  Is there an alternative?

 

The error is coming up when I try to login.  I tried using the principalSuffix, it did not change things.

 

I discovered a co-worker had LDAP working for a different LDAP server under different conditions.  He told me that he is logging in as the system account from the UI, which I had never tried or thought of before.  I was always using my personal username and password, and figured that the system account should just be used on the backend to interact with LDAP.

 

Is that the expected way for things to work?  Like the user should enter the system username and password on the front end instead of their own?  Because I don’t think that will be an acceptable long term solution in my case. 

 

I also noticed that if I add “admin = *” to my roles section, that alone breaks the application, and I have no idea why.  I’m having trouble finding documentation on what is expected in the roles section of the shiro file.

 

When I did get it to work:

·

        

I was logging in as the system user on the front end.  Any other user fails.

·

        

I did NOT have the principalSuffix defined, adding it seems to break things

·

        

I was able to use ldap or ldaps.

 

 

 

 

 

From:

Paul Brenner <pb...@placeiq.com>

Reply-To:

"users@zeppelin.apache.org" <us...@zeppelin.apache.org>

Date:

Wednesday, April 19, 2017 at 11:21 AM

To:

"Knapp, Michael" <Mi...@capitalone.com>, "users@zeppelin.apache.org" <us...@zeppelin.apache.org>

Cc:

"Krishna, Krish" <Kr...@capitalone.com>

Subject:

Re: struggling with LDAP

 

Have you tried downloading jxplorer (
https://share.polymail.io/v1/z/b/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhWsyhnPBuhOSlesqCbWa29gOfWIHfzMl_KkcEjTygnnHE5ULbT4hkfGCo3ldYc1D21y4gr8tQkiH0VV8v4hCOt8a1pJ5LlTVrS5NQBpf6Ba77K4yf_NGEYgtOuXJp-BP4pCf4FLNHEXgWptDxLkamTAE=
) and confirming that you can connect to the ldaps server with your credentials? 

 

Also, when is this error coming up, at start up or when you try to login through zeppelin? When I switched to ldap instead of logging in as pbrenner for my user I had to use pbrenner@corp.placeiq.net. Had to add “activeDirectoryRealm.principalSuffix“ to shiro.ini to get around that. 

http://www.placeiq.com/

Paul Brenner

https://twitter.com/placeiq

https://www.facebook.com/PlaceIQ

https://www.linkedin.com/company/placeiq

DATA SCIENTIST

(217) 390-3033 

 

http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/

 

On Wed, Apr 19, 2017 at 11:07 AM Knapp Michael <
mailto:Knapp%20Michael%20%3cMichael.Knapp@capitalone.com%3e
> wrote:

I think this got me one step closer.  I was getting an exception stating there was no trusted path to the ldap server.  Now I am getting the same exception as when I use non-secure LDAP, that I am “forbidden”.  I am getting ldap error code 49, data 52e.

 

From:

Paul Brenner <pb...@placeiq.com>

Reply-To:

"users@zeppelin.apache.org" <us...@zeppelin.apache.org>

Date:

Tuesday, April 18, 2017 at 4:24 PM

To:

"Knapp, Michael" <Mi...@capitalone.com>, "users@zeppelin.apache.org" <us...@zeppelin.apache.org>

Cc:

"Krishna, Krish" <Kr...@capitalone.com>

Subject:

struggling with LDAP

 

BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

 

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

Re: struggling with LDAP

Posted by moon soo Lee <mo...@apache.org>.
Hi Paul, Knapp,

Please don't mind update LDAP documentation if you would like to.
That would save many people!

Documentation (published in zeppelin website) is also part of opensource
and you can update them by making pull request. I think related file is
https://github.com/apache/zeppelin/blob/master/docs/security/shiroauthentication.md#ldap
.
Let me know if you need help on making pull request.

Thanks,
moon

On Thu, Apr 20, 2017 at 3:18 PM Knapp, Michael <Mi...@capitalone.com>
wrote:

> I finally got LDAP to work.  This was one of the most difficult tasks I
> have ever had.  I spent about three weeks trying to make this work!
>
>
>
> One very hard lesson learned:  LDAP/JNDI code will not use the truststore
> that people pass into zeppelin-site.xml.  It will only use the JRE’s
> cacerts file.  This cost me so much time, it should definitely be mentioned
> in the Zeppelin documentation.
>
>
>
> I also think the documentation should offer more help on how to determine
> what values you need in the shiro.ini file.  I eventually figured out there
> was a principalSuffix I needed to use, but the value was not my first guess
> at all.  Some guidance on how to use ldapsearch would save people weeks of
> work here.
>
>
>
> Also the shiro logging is TERRIBLE!  It offers almost no help when it
> comes time to troubleshoot things and discover where it went wrong.  This
> is true even when it is set to trace.
>
>
>
>
>
> *From: *"Knapp, Michael" <Mi...@capitalone.com>
> *Reply-To: *"users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Date: *Wednesday, April 19, 2017 at 1:20 PM
> *To: *"users@zeppelin.apache.org" <us...@zeppelin.apache.org>
>
>
> *Cc: *"Krishna, Krish" <Kr...@capitalone.com>
> *Subject: *Re: struggling with LDAP
>
>
>
> My mac is configured to forbid installing software by unidentified
> developers.  I cannot install jxplorer.  Is there an alternative?
>
>
>
> The error is coming up when I try to login.  I tried using the
> principalSuffix, it did not change things.
>
>
>
> I discovered a co-worker had LDAP working for a different LDAP server
> under different conditions.  He told me that he is logging in as the system
> account from the UI, which I had never tried or thought of before.  I was
> always using my personal username and password, and figured that the system
> account should just be used on the backend to interact with LDAP.
>
>
>
> Is that the expected way for things to work?  Like the user should enter
> the system username and password on the front end instead of their own?
> Because I don’t think that will be an acceptable long term solution in my
> case.
>
>
>
> I also noticed that if I add “admin = *” to my roles section, that alone
> breaks the application, and I have no idea why.  I’m having trouble finding
> documentation on what is expected in the roles section of the shiro file.
>
>
>
> When I did get it to work:
>
> ·         I was logging in as the system user on the front end.  Any
> other user fails.
>
> ·         I did NOT have the principalSuffix defined, adding it seems to
> break things
>
> ·         I was able to use ldap or ldaps.
>
>
>
>
>
>
>
>
>
>
>
> *From: *Paul Brenner <pb...@placeiq.com>
> *Reply-To: *"users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Date: *Wednesday, April 19, 2017 at 11:21 AM
> *To: *"Knapp, Michael" <Mi...@capitalone.com>, "
> users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Cc: *"Krishna, Krish" <Kr...@capitalone.com>
> *Subject: *Re: struggling with LDAP
>
>
>
> [image:
> ttps://share.polymail.io/v2/z/a/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhdMyhnPBuhOSlesqCbWa29gO]
>
> Have you tried downloading jxplorer (http://jxplorer.org/
> <https://share.polymail.io/v1/z/b/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhWsyhnPBuhOSlesqCbWa29gOfWIHfzMl_KkcEjTygnnHE5ULbT4hkfGCo3ldYc1D21y4gr8tQkiH0VV8v4hCOt8a1pJ5LlTVrS5NQBpf6Ba77K4yf_NGEYgtOuXJp-BP4pCf4FLNHEXgWptDxLkamTAE=>)
> and confirming that you can connect to the ldaps server with your
> credentials?
>
>
>
> Also, when is this error coming up, at start up or when you try to login
> through zeppelin? When I switched to ldap instead of logging in as pbrenner
> for my user I had to use pbrenner@corp.placeiq.net. Had to add
> “activeDirectoryRealm.principalSuffix“ to shiro.ini to get around that.
>
> *[image:
> ttps://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za]*
> <http://www.placeiq.com/>
>
> *Paul Brenner*
>
> *[image:
> ttps://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68]*
> <https://twitter.com/placeiq>
>
> *[image:
> ttps://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1]*
> <https://www.facebook.com/PlaceIQ>
>
> *[image:
> ttps://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9Eu]*
> <https://www.linkedin.com/company/placeiq>
>
> *DATA SCIENTIST*
>
> *(217) 390-3033 <(217)%20390-3033> *
>
>
> [image: ceIQ:Location Data Accuracy]
> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>
>
>
>
> On Wed, Apr 19, 2017 at 11:07 AM Knapp Michael <Knapp Michael
> <Knapp%20Michael%20%3cMichael.Knapp@capitalone.com%3e>> wrote:
>
>
> I think this got me one step closer.  I was getting an exception stating
> there was no trusted path to the ldap server.  Now I am getting the same
> exception as when I use non-secure LDAP, that I am “forbidden”.  I am
> getting ldap error code 49, data 52e.
>
>
>
> From: Paul Brenner <pb...@placeiq.com>
> *Reply-To: *"users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Date: *Tuesday, April 18, 2017 at 4:24 PM
> *To: *"Knapp, Michael" <Mi...@capitalone.com>, "
> users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Cc: *"Krishna, Krish" <Kr...@capitalone.com>
> *Subject: *struggling with LDAP
>
>
>
> BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
>
>
> ------------------------------
>
> The information contained in this e-mail is confidential and/or
> proprietary to Capital One and/or its affiliates and may only be used
> solely in performance of work or services for Capital One. The information
> transmitted herewith is intended only for use by the individual or entity
> to which it is addressed. If the reader of this message is not the intended
> recipient, you are hereby notified that any review, retransmission,
> dissemination, distribution, copying or other use of, or taking of any
> action in reliance upon this information is strictly prohibited. If you
> have received this communication in error, please contact the sender and
> delete the material from your computer.
>
>
> ------------------------------
>
> The information contained in this e-mail is confidential and/or
> proprietary to Capital One and/or its affiliates and may only be used
> solely in performance of work or services for Capital One. The information
> transmitted herewith is intended only for use by the individual or entity
> to which it is addressed. If the reader of this message is not the intended
> recipient, you are hereby notified that any review, retransmission,
> dissemination, distribution, copying or other use of, or taking of any
> action in reliance upon this information is strictly prohibited. If you
> have received this communication in error, please contact the sender and
> delete the material from your computer.
>
> ------------------------------
>
> The information contained in this e-mail is confidential and/or
> proprietary to Capital One and/or its affiliates and may only be used
> solely in performance of work or services for Capital One. The information
> transmitted herewith is intended only for use by the individual or entity
> to which it is addressed. If the reader of this message is not the intended
> recipient, you are hereby notified that any review, retransmission,
> dissemination, distribution, copying or other use of, or taking of any
> action in reliance upon this information is strictly prohibited. If you
> have received this communication in error, please contact the sender and
> delete the material from your computer.
>

Re: struggling with LDAP

Posted by "Knapp, Michael" <Mi...@capitalone.com>.
I finally got LDAP to work.  This was one of the most difficult tasks I have ever had.  I spent about three weeks trying to make this work!

One very hard lesson learned:  LDAP/JNDI code will not use the truststore that people pass into zeppelin-site.xml.  It will only use the JRE’s cacerts file.  This cost me so much time, it should definitely be mentioned in the Zeppelin documentation.

I also think the documentation should offer more help on how to determine what values you need in the shiro.ini file.  I eventually figured out there was a principalSuffix I needed to use, but the value was not my first guess at all.  Some guidance on how to use ldapsearch would save people weeks of work here.

Also the shiro logging is TERRIBLE!  It offers almost no help when it comes time to troubleshoot things and discover where it went wrong.  This is true even when it is set to trace.


From: "Knapp, Michael" <Mi...@capitalone.com>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Wednesday, April 19, 2017 at 1:20 PM
To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Cc: "Krishna, Krish" <Kr...@capitalone.com>
Subject: Re: struggling with LDAP

My mac is configured to forbid installing software by unidentified developers.  I cannot install jxplorer.  Is there an alternative?

The error is coming up when I try to login.  I tried using the principalSuffix, it did not change things.

I discovered a co-worker had LDAP working for a different LDAP server under different conditions.  He told me that he is logging in as the system account from the UI, which I had never tried or thought of before.  I was always using my personal username and password, and figured that the system account should just be used on the backend to interact with LDAP.

Is that the expected way for things to work?  Like the user should enter the system username and password on the front end instead of their own?  Because I don’t think that will be an acceptable long term solution in my case.

I also noticed that if I add “admin = *” to my roles section, that alone breaks the application, and I have no idea why.  I’m having trouble finding documentation on what is expected in the roles section of the shiro file.

When I did get it to work:

·         I was logging in as the system user on the front end.  Any other user fails.

·         I did NOT have the principalSuffix defined, adding it seems to break things

·         I was able to use ldap or ldaps.





From: Paul Brenner <pb...@placeiq.com>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Wednesday, April 19, 2017 at 11:21 AM
To: "Knapp, Michael" <Mi...@capitalone.com>, "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Cc: "Krishna, Krish" <Kr...@capitalone.com>
Subject: Re: struggling with LDAP

[ttps://share.polymail.io/v2/z/a/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhdMyhnPBuhOSlesqCbWa29gO]
Have you tried downloading jxplorer (http://jxplorer.org/<https://share.polymail.io/v1/z/b/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhWsyhnPBuhOSlesqCbWa29gOfWIHfzMl_KkcEjTygnnHE5ULbT4hkfGCo3ldYc1D21y4gr8tQkiH0VV8v4hCOt8a1pJ5LlTVrS5NQBpf6Ba77K4yf_NGEYgtOuXJp-BP4pCf4FLNHEXgWptDxLkamTAE=>) and confirming that you can connect to the ldaps server with your credentials?

Also, when is this error coming up, at start up or when you try to login through zeppelin? When I switched to ldap instead of logging in as pbrenner for my user I had to use pbrenner@corp.placeiq.net. Had to add “activeDirectoryRealm.principalSuffix“ to shiro.ini to get around that.

[ttps://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za]<http://www.placeiq.com/>

Paul Brenner

[ttps://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68]<https://twitter.com/placeiq>

[ttps://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1]<https://www.facebook.com/PlaceIQ>

[ttps://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9Eu]<https://www.linkedin.com/company/placeiq>

DATA SCIENTIST

(217) 390-3033



[ceIQ:Location Data Accuracy]<http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>


On Wed, Apr 19, 2017 at 11:07 AM Knapp Michael <Knapp Michael <mailto:Knapp%20Michael%20%3cMichael.Knapp@capitalone.com%3e> > wrote:


I think this got me one step closer.  I was getting an exception stating there was no trusted path to the ldap server.  Now I am getting the same exception as when I use non-secure LDAP, that I am “forbidden”.  I am getting ldap error code 49, data 52e.


From: Paul Brenner <pb...@placeiq.com>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Tuesday, April 18, 2017 at 4:24 PM
To: "Knapp, Michael" <Mi...@capitalone.com>, "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Cc: "Krishna, Krish" <Kr...@capitalone.com>
Subject: struggling with LDAP


BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

Re: struggling with LDAP

Posted by "Knapp, Michael" <Mi...@capitalone.com>.
My mac is configured to forbid installing software by unidentified developers.  I cannot install jxplorer.  Is there an alternative?

The error is coming up when I try to login.  I tried using the principalSuffix, it did not change things.

I discovered a co-worker had LDAP working for a different LDAP server under different conditions.  He told me that he is logging in as the system account from the UI, which I had never tried or thought of before.  I was always using my personal username and password, and figured that the system account should just be used on the backend to interact with LDAP.

Is that the expected way for things to work?  Like the user should enter the system username and password on the front end instead of their own?  Because I don’t think that will be an acceptable long term solution in my case.

I also noticed that if I add “admin = *” to my roles section, that alone breaks the application, and I have no idea why.  I’m having trouble finding documentation on what is expected in the roles section of the shiro file.

When I did get it to work:

·         I was logging in as the system user on the front end.  Any other user fails.

·         I did NOT have the principalSuffix defined, adding it seems to break things

·         I was able to use ldap or ldaps.





From: Paul Brenner <pb...@placeiq.com>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Wednesday, April 19, 2017 at 11:21 AM
To: "Knapp, Michael" <Mi...@capitalone.com>, "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Cc: "Krishna, Krish" <Kr...@capitalone.com>
Subject: Re: struggling with LDAP

[https://share.polymail.io/v2/z/a/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhdMyhnPBuhOSlesqCbWa29gOfWIHfzMl_KmkEjTygnnHE5ULbT4hkfGCo3ldYc1D21y4Or8tQkiH0VV8v4hCOt8a1pJ5LlTVrS5NQBnKWt7rJN2m_oQDh20giVWw=.png]
Have you tried downloading jxplorer (http://jxplorer.org/<https://share.polymail.io/v1/z/b/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhWsyhnPBuhOSlesqCbWa29gOfWIHfzMl_KkcEjTygnnHE5ULbT4hkfGCo3ldYc1D21y4gr8tQkiH0VV8v4hCOt8a1pJ5LlTVrS5NQBpf6Ba77K4yf_NGEYgtOuXJp-BP4pCf4FLNHEXgWptDxLkamTAE=>) and confirming that you can connect to the ldaps server with your credentials?

Also, when is this error coming up, at start up or when you try to login through zeppelin? When I switched to ldap instead of logging in as pbrenner for my user I had to use pbrenner@corp.placeiq.net. Had to add “activeDirectoryRealm.principalSuffix“ to shiro.ini to get around that.

[https://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za5MXwXTuwBZaobKp22nYAG3NdxAC0Q=s0-d-e1-ft#https://marketing.placeiq.net/images/placeiq.png]<http://www.placeiq.com/>

Paul Brenner

[https://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68uDAuA6FgLny8wKWLFWpsrPAt_FtLaE=s0-d-e1-ft#https://marketing.placeiq.net/images/twitter1.png]<https://twitter.com/placeiq>

[https://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1GsiuhrOfYy6dSwhlCwWU8ZUlw9OX5I=s0-d-e1-ft#https://marketing.placeiq.net/images/facebook.png]<https://www.facebook.com/PlaceIQ>

[https://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9EuIyJMdaRXrhZTOrnkrn8O9Rf1FP9UQU=s0-d-e1-ft#https://marketing.placeiq.net/images/linkedin.png]<https://www.linkedin.com/company/placeiq>

DATA SCIENTIST

(217) 390-3033



[aceIQ:Location Data Accuracy]<http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/>


On Wed, Apr 19, 2017 at 11:07 AM Knapp Michael <Knapp Michael <mailto:Knapp%20Michael%20%3cMichael.Knapp@capitalone.com%3e> > wrote:

I think this got me one step closer.  I was getting an exception stating there was no trusted path to the ldap server.  Now I am getting the same exception as when I use non-secure LDAP, that I am “forbidden”.  I am getting ldap error code 49, data 52e.


From: Paul Brenner <pb...@placeiq.com>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Tuesday, April 18, 2017 at 4:24 PM
To: "Knapp, Michael" <Mi...@capitalone.com>, "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Cc: "Krishna, Krish" <Kr...@capitalone.com>
Subject: struggling with LDAP


BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

Re: struggling with LDAP

Posted by Paul Brenner <pb...@placeiq.com>.
Have you tried downloading jxplorer (
https://share.polymail.io/v1/z/b/NThmNzdlMmY1M2Q4/4ULIk0PWssT9m_JkSH0DABBQXnzuCgzhWsyhnPBuhOSlesqCbWa29gOfWIHfzMl_KkcEjTygnnHE5ULbT4hkfGCo3ldYc1D21y4gr8tQkiH0VV8v4hCOt8a1pJ5LlTVrS5NQBpf6Ba77K4yf_NGEYgtOuXJp-BP4pCf4FLNHEXgWptDxLkamTAE=
) and confirming that you can connect to the ldaps server with your credentials? 

Also, when is this error coming up, at start up or when you try to login through zeppelin? When I switched to ldap instead of logging in as pbrenner for my user I had to use pbrenner@corp.placeiq.net. Had to add “activeDirectoryRealm.principalSuffix“ to shiro.ini to get around that. 

http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/

Paul Brenner

https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq
https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ
https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq

DATA SCIENTIST

(217) 390-3033 

 

http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/

On Wed, Apr 19, 2017 at 11:07 AM Knapp Michael

<
mailto:Knapp Michael <Mi...@capitalone.com>
> wrote:

<![CDATA[a, pre, code, a:link, body { word-wrap: break-word !important; }]]>

<![CDATA[<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:-webkit-standard; panose-1:0 0 0 0 0 0 0 0 0 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-reply; font-family:Calibri; color:windowtext;} span.msoIns {mso-style-type:export-only; mso-style-name:""; text-decoration:underline; color:teal;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} -->]]>

I think this got me one step closer.  I was getting an exception stating there was no trusted path to the ldap server.  Now I am getting the same exception as when I use non-secure LDAP, that I am “forbidden”.  I am getting ldap error code 49, data 52e.

 

From:

Paul Brenner <pb...@placeiq.com>

Reply-To:

"users@zeppelin.apache.org" <us...@zeppelin.apache.org>

Date:

Tuesday, April 18, 2017 at 4:24 PM

To:

"Knapp, Michael" <Mi...@capitalone.com>, "users@zeppelin.apache.org" <us...@zeppelin.apache.org>

Cc:

"Krishna, Krish" <Kr...@capitalone.com>

Subject:

struggling with LDAP

 

BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

Re: struggling with LDAP

Posted by "Knapp, Michael" <Mi...@capitalone.com>.
I think this got me one step closer.  I was getting an exception stating there was no trusted path to the ldap server.  Now I am getting the same exception as when I use non-secure LDAP, that I am “forbidden”.  I am getting ldap error code 49, data 52e.

From: Paul Brenner <pb...@placeiq.com>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Tuesday, April 18, 2017 at 4:24 PM
To: "Knapp, Michael" <Mi...@capitalone.com>, "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Cc: "Krishna, Krish" <Kr...@capitalone.com>
Subject: struggling with LDAP

BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

struggling with LDAP

Posted by Paul Brenner <pb...@placeiq.com>.
Wow, we just setup ldaps today, good timing.

First we got everything worked with just ldap (not secure). Then all we had to do was generate keys for the latest version of java we had installed:

openssl s_client -connect piq-corp-100.corp.placeiq.net:636 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

/usr/java/latest/bin/keytool -import -alias piq-corp-100.corp.placeiq.net -keystore /usr/java/latest/jre/lib/security/cacerts -file ./public.crt

And then everything worked fine. I definitely didn’t touch zeppelin-site.xml.

Here is our shiro.ini in case that helps. It is possible that we set up some additional conf elsewhere that would be relevant but I’m having trouble thinking of anything.

[users] [main] [users] [main] #activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = our username activeDirectoryRealm.systemPassword = our password activeDirectoryRealm.searchBase = OU=Departments,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net activeDirectoryRealm.url = ldaps://corp.placeiq.net:636 activeDirectoryRealm.groupRolesMap = "CN=Security Data Science Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_science", "CN=Security Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"engineering", "CN=Security Infrastructure Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"infra", "CN=Security Research & Development Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"tech_heads", "CN=Security Reporting & Analytics Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"reporting", "CN=Security Product Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"product", "CN=Security Data Operations Department,OU=Department Security Groups,OU=Security Groups,OU=PlaceIQ,DC=corp,DC=placeiq,DC=net":"data_ops" activeDirectoryRealm.authorizationCachingEnabled = true activeDirectoryRealm.principalSuffix = @corp.placeiq.net sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login securityManager.realm = $activeDirectoryRealm [roles] data_science = data_science engineering = engineering infra = infra tech_heads = tech_heads reporting = reporting [urls] /api/version = anon /api/interpreter/** = roles[engineering],roles[infra],roles[tech_heads],roles[data_science] #/** = anon /** = authc

http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/

Paul Brenner

https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq
https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ
https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq

DATA SCIENTIST

(217) 390-3033 

 

http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/

On Tue, Apr 18, 2017 at 3:13 PM Knapp Michael

<
mailto:Knapp Michael <Mi...@capitalone.com>
> wrote:

a, pre, code, a:link, body { word-wrap: break-word !important; }

<!-- /* Font Definitions */ @font-face {font-family:"Courier New"; panose-1:2 7 3 9 2 2 5 2 4 4;} @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:Calibri;} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; font-size:12.0pt; font-family:Calibri;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:Calibri; color:windowtext;} span.msoIns {mso-style-type:export-only; mso-style-name:""; text-decoration:underline; color:teal;} .MsoChpDefault {mso-style-type:export-only; font-family:Calibri;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:283461036; mso-list-type:hybrid; mso-list-template-ids:1297508538 -767670962 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;} @list l0:level1 {mso-level-start-at:0; mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol; mso-fareast-font-family:Calibri; mso-bidi-font-family:"Times New Roman";} @list l0:level2 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level3 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level4 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level5 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level6 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level7 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level8 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New";} @list l0:level9 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} -->

Hi,

 

I have been struggling for weeks to get LDAP to work in Zeppelin now.  Unfortunately for me, I cannot use websockets unless also using LDAP for authentication.  So if I use the anonymous user, I just get a blank home page.  Zeppelin leaves no configuration option to disable web sockets.  My company has their own cert authority, which I have added to my trust store.

 

When I try logging in to Zeppelin using my LDAP, I get “SunCertPathBuilderException: unable to find valid certification path to requested target”.  I have attached the full stack trace.  Note that I am using ldaps over 636.  Basically it’s like saying that my trust store does not identify my LDAP server as a trusted web server.  I am certain that my JKS file is configured right, I have had a co-worker double check it for me. 

 

To troubleshoot, we did:

Export JAVA_OPTS=’-Djavax.net.debug=all’

 

Now we are seeing all of the SSL verbose logs in the zeppelin--…..out file. 

 

I was surprised to see this:

…

keyStore is : 

keyStore type is : jks

keyStore provider is : 

init keystore

init keymanager of type SunX509

trustStore is: /application/jdk1.8.0_101/jre/lib/security/cacerts

trustStore type is : jks

trustStore provider is : 

init truststore

…

 

So it looks like the application is not truly using the trust store I have configured. I have this in my zeppelin-site.xml:

 

    <property>

        <name>zeppelin.ssl.truststore.path</name>

        <value>/application/zeppelin/conf/zeppelin-truststore.jks</value>

        <description>Path to truststore relative to Zeppelin configuration directory. Defaults to the keystore path</description>

    </property>

 

It seems to me like the key and trust store are not getting used to connect to the LDAP server.

 

Other factors:

·

        

I am using a corporate proxy

·

        

I have dockerized Zeppelin

 

Unrelated comments:

·

        

Every time I want to test a change in Zeppelin, the NPMInstaller wastes a minute of my life trying to download some files.  It fails every time, and it prints a stack trace in my logs every time.  I would like to disable it, but I looked through your code, there is no way to do it.  Your code also does not provide any opportunity to configure a proxy, so there is no chance this would work for me.  I am even thinking of making a pull request to fix this, it’s quite annoying.  I don’t know why the authors assume that other people are ok with this pattern.

·

        

I am also getting an exception in the logs stating: No operation matching request path "/api/login;JSESSIONID=92e79cbe-9113-473d-b76a-165666c3f221" is found.  Is this a bug in Zeppelin?

 

 

Does anybody know why this is not working?  Or how I can fix it? 

 

Michael Knapp

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.