Active Directory Settings
This section provides additional information about Shiro Active Directory settings.
Active Directory (AD) stores users and groups in a hierarchical tree structure, built from containers including the organizational unit (ou), organization (o), and domain controller (dc). The path to each entry is a Distinguished Name (DN) that uniquely identifies a user or group.
User and group names typically have attributes such as a common name (cn) or unique ID (uid).
Specify the DN as a string, for example cn=admin,dc=example,dc=com
.
White space is ignored.
Important | |
---|---|
If you upgrade from HDP 2.5 (Zeppelin 0.6) to HDP 2.6 (Zeppelin 0.7), note that the
Active Directory group realm class name changed from
|
-
activeDirectoryRealm
-
specifies the class name to use for AD authentication. You should set this to
org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
. -
activeDirectoryRealm.url
-
specifies the host and port where Active Directory is set up. .
If the protocol element is specified as
ldap
, SSL is not used. If the protocol is specified asldaps
, access is over SSL.Note: If Active Directory uses a self-signed certificate, import the certificate into the truststore of the JVM running Zeppelin; for example:
echo -n | openssl s_client –connect ldap.example.com:389 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt keytool –import \ -keystore $JAVA_HOME/jre/lib/security/cacerts \ -storepass changeit \ -noprompt \ -alias mycert \ -file /tmp/examplecert.crt
-
activeDirectoryRealm.principalSuffix
-
simplifies the logon information that users must use to log in. Otherwise, AD requires a username fully qualified with domain information. For example, if a fully-qualified user account is
user@hdpqa.example.com
, you can specify a shorter suffix such asuser@hdpqa
.activeDirectoryRealm.principalSuffix = @<user-org-level-domain>
-
activeDirectoryRealm.searchBase
-
defines the base distinguished name from which the directory search starts. A distinguished name defines each entry; "dc" entries define a hierarchical directory tree.
-
activeDirectoryRealm.systemUsername
-
activeDirectoryRealm.systemPassword
-
defines the username and password that Zeppelin uses to connect to Active Directory when it searches for users and groups. These two settings are used for controlling access to UI features, not for authentication. The Bind method does not require a valid user password.
Example:
activeDirectoryRealm.systemPassword = passwordA
-
activeDirectoryRealm.groupRolesMap
-
a comma-separated list that maps groups to roles. These settings are used by Zeppelin to restrict UI features to specific AD groups. The following example maps group
hdpdv_admin
athdp3.example.com
to the "admin" role:CN=hdpdv_admin,DC=hdp3,DC=example,DC=com:admin
-
activeDirectoryRealm.authorizationCachingEnabled
-
specifies whether to use caching to improve performance. To enable caching, set this property to
true
.