Zeppelin - LDAP 身份验证失败

Posted

技术标签:

【中文标题】Zeppelin - LDAP 身份验证失败【英文标题】:Zeppelin - LDAP Authentication failed 【发布时间】:2020-04-14 18:29:38 【问题描述】:

我正在尝试在 Zeppelin 笔记本中配置 ldap 身份验证。我已经通过 this 链接指定了 ldap 服务器和其他配置。但是,当我尝试登录时,出现以下错误:

ERROR [2019-12-23 17:52:12,196] (qtp1580893732-66 LoginRestApi.java[proceedToLogin]:172) - Exception in login:
org.apache.shiro.authc.AuthenticationException: Authentication failed for token submission [org.apache.shiro.authc.UsernamePasswordToken - user1, rememberMe=false].  Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214)
        at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
        at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
        at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
        at org.apache.zeppelin.rest.LoginRestApi.proceedToLogin(LoginRestApi.java:140)
        at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:199)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
       org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
      org.apache.shiro.realm.ldap.DefaultLdapRealm.queryForAuthenticationInfo(DefaultLdapRealm.java:371)
        at org.apache.zeppelin.realm.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:268)
        at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:295)
        at org.apache.zeppelin.realm.LdapRealm.doGetAuthenticationInfo(LdapRealm.java:217)
        at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
        ... 78 more
 WARN [2019-12-23 17:52:12,197] (qtp1580893732-66 LoginRestApi.java[postLogin]:206) - "status":"FORBIDDEN","message":"","body":""

这里是 shiro.ini 文件

ldapRealm=org.apache.zeppelin.realm.LdapRealm

ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://10.16.0.113:389
ldapRealm.userDnTemplate=uid=0,ou=Users,dc=domain,dc=org,dc=com
# Ability to set ldap paging Size if needed default is 100
#ldapRealm.pagingSize = 200
#ldapRealm.authorizationEnabled=true
#ldapRealm.contextFactory.systemAuthenticationMechanism=simple
ldapRealm.searchBase=dc=domain,dc=org,dc=com
ldapRealm.userSearchBase=dc=domain,dc=org,dc=com
ldapRealm.groupSearchBase=ou=Users,dc=domain,dc=org,dc=com
ldapRealm.groupObjectClass=groupofnames
# Allow userSearchAttribute to be customized
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.memberAttribute=member
# force usernames returned from ldap to lowercase useful for AD
ldapRealm.userLowerCase = true
# ability set searchScopes subtree (default), one, base
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;
ldapRealm.memberAttributeValueTemplate=cn=0,ou=Users,dc=domain,dc=org,dc=com
ldapRealm.contextFactory.systemUsername=uid=domain\digital.banking,ou=Users,dc=domain,dc=org,dc=com
ldapRealm.contextFactory.systemPassword=Password1
securityManager.realms = $ldapRealm

我哪里错了。我需要一些帮助

【问题讨论】:

【参考方案1】:

我关注了来自 Cloudera 的 documentation(配置 Apache Zeppelin 安全性)。看来我不得不使用“ActiveDirectoryRealm”而不是“LDAPRealm” 在 shiro.ini 中添加了以下配置,它已启动并运行:

activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
activeDirectoryRealm.url = ldap://address:389
activeDirectoryRealm.searchBase = DC=domain,DC=org,DC=com
activeDirectoryRealm.principalSuffix = @domain.org.com
securityManager.realms = $activeDirectoryRealm

【讨论】:

以上是关于Zeppelin - LDAP 身份验证失败的主要内容,如果未能解决你的问题,请参考以下文章

LDAP 身份验证失败:数据 52e

Spring boot Ldap 身份验证失败,LDAP 错误代码 49 - 80090308 数据 52e

Azure 应用服务中的 LDAP 身份验证失败

Hive 中的 Ldap 身份验证用户过滤器:失败

Ldap 用户授权失败 - 未处理的 Spring 身份验证“访问被拒绝”

使用LDAP登录模块进行Teiid VDB数据虚拟化的身份验证失败