Zeppelin - LDAP 身份验证失败
Posted
技术标签:
【中文标题】Zeppelin - LDAP 身份验证失败【英文标题】:Zeppelin - LDAP Authentication failed 【发布时间】:2020-04-14 18:29:38 【问题描述】:我正在尝试在 Zeppelin 笔记本中配置 ldap 身份验证。我已经通过 this 链接指定了 ldap 服务器和其他配置。但是,当我尝试登录时,出现以下错误:
ERROR [2019-12-23 17:52:12,196] (qtp1580893732-66 LoginRestApi.java[proceedToLogin]:172) - Exception in login:
org.apache.shiro.authc.AuthenticationException: Authentication failed for token submission [org.apache.shiro.authc.UsernamePasswordToken - user1, rememberMe=false]. Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214)
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.zeppelin.rest.LoginRestApi.proceedToLogin(LoginRestApi.java:140)
at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
org.apache.shiro.realm.ldap.DefaultLdapRealm.queryForAuthenticationInfo(DefaultLdapRealm.java:371)
at org.apache.zeppelin.realm.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:268)
at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:295)
at org.apache.zeppelin.realm.LdapRealm.doGetAuthenticationInfo(LdapRealm.java:217)
at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
... 78 more
WARN [2019-12-23 17:52:12,197] (qtp1580893732-66 LoginRestApi.java[postLogin]:206) - "status":"FORBIDDEN","message":"","body":""
这里是 shiro.ini 文件
ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://10.16.0.113:389
ldapRealm.userDnTemplate=uid=0,ou=Users,dc=domain,dc=org,dc=com
# Ability to set ldap paging Size if needed default is 100
#ldapRealm.pagingSize = 200
#ldapRealm.authorizationEnabled=true
#ldapRealm.contextFactory.systemAuthenticationMechanism=simple
ldapRealm.searchBase=dc=domain,dc=org,dc=com
ldapRealm.userSearchBase=dc=domain,dc=org,dc=com
ldapRealm.groupSearchBase=ou=Users,dc=domain,dc=org,dc=com
ldapRealm.groupObjectClass=groupofnames
# Allow userSearchAttribute to be customized
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.memberAttribute=member
# force usernames returned from ldap to lowercase useful for AD
ldapRealm.userLowerCase = true
# ability set searchScopes subtree (default), one, base
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;
ldapRealm.memberAttributeValueTemplate=cn=0,ou=Users,dc=domain,dc=org,dc=com
ldapRealm.contextFactory.systemUsername=uid=domain\digital.banking,ou=Users,dc=domain,dc=org,dc=com
ldapRealm.contextFactory.systemPassword=Password1
securityManager.realms = $ldapRealm
我哪里错了。我需要一些帮助
【问题讨论】:
【参考方案1】:我关注了来自 Cloudera 的 documentation(配置 Apache Zeppelin 安全性)。看来我不得不使用“ActiveDirectoryRealm”而不是“LDAPRealm” 在 shiro.ini 中添加了以下配置,它已启动并运行:
activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.url = ldap://address:389
activeDirectoryRealm.searchBase = DC=domain,DC=org,DC=com
activeDirectoryRealm.principalSuffix = @domain.org.com
securityManager.realms = $activeDirectoryRealm
【讨论】:
以上是关于Zeppelin - LDAP 身份验证失败的主要内容,如果未能解决你的问题,请参考以下文章
Spring boot Ldap 身份验证失败,LDAP 错误代码 49 - 80090308 数据 52e