sssd/ldap authentication failing

Hi There,

We are trying to integrate the zepplin with AD. but its failing and throwing below error

 

---------------------------------------------------------------------------

WARN [2018-10-19 10:40:28,268] ({qtp2059904228-68} LoginRestApi.java[postLogin]:206) - {"status":"FORBIDDEN","message":"","body":""}
WARN [2018-10-19 11:04:18,020] ({qtp2059904228-98} AbstractAuthenticator.java[authenticate]:216) - Authentication failed for token submission [org.apache.shiro.authc.UsernamePasswordToken - null, rememberMe=false (10.23.126.208)]. Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).
java.lang.IllegalArgumentException: principal argument cannot be null.
at org.apache.shiro.subject.SimplePrincipalCollection.add(SimplePrincipalCollection.java:104)
at org.apache.shiro.subject.SimplePrincipalCollection.<init>(SimplePrincipalCollection.java:59)
at org.apache.shiro.authc.SimpleAuthenticationInfo.<init>(SimpleAuthenticationInfo.java:74)
at org.apache.shiro.realm.ldap.DefaultLdapRealm.createAuthenticationInfo(DefaultLdapRealm.java:412)
at org.apache.shiro.realm.ldap.DefaultLdapRealm.queryForAuthenticationInfo(DefaultLdapRealm.java:377)
at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:295)
at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)
at org.apache.shiro.web.filter.authc.FormAuthenticationFilter.onAccessDenied(FormAuthenticationFilter.java:154)
at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)
at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:748)
ERROR [2018-10-19 11:04:18,043] ({qtp2059904228-98} LoginRestApi.java[proceedToLogin]:172) - Exception in login:
org.apache.shiro.authc.AuthenticationException: LDAP authentication failed.
at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:300)
at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.zeppelin.rest.LoginRestApi.proceedToLogin(LoginRestApi.java:140)
at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]

---------------------------------------------------------------

 

my shiro.ini is below

 

#

1. Licensed to the Apache Software Foundation (ASF) under one or more
2. contributor license agreements. See the NOTICE file distributed with
3. this work for additional information regarding copyright ownership.
4. The ASF licenses this file to You under the Apache License, Version 2.0
5. (the "License"); you may not use this file except in compliance with
6. the License. You may obtain a copy of the License at
   #
7. http://www.apache.org/licenses/LICENSE-2.0
   #
8. Unless required by applicable law or agreed to in writing, software
9. distributed under the License is distributed on an "AS IS" BASIS,
10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11. See the License for the specific language governing permissions and
12. limitations under the License.
    #

#[users]
#oracle = welcome1, admin

1. List of users with their password allowed to access Zeppelin.
2. To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
3. To enable admin user, uncomment the following line and set an appropriate password.
   #admin = password1, admin
   #user1 = password2, role1, role2
   #user2 = password3, role3
   #user3 = password4, role2

1. Sample LDAP configuration, for user Authentication, currently tested for single Realm
   [main]
   1. 1. A sample for configuring Active Directory Realm
         #activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
         #activeDirectoryRealm.systemUsername = userNameA

#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html
#activeDirectoryRealm.systemPassword = passwordA
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks
#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
#activeDirectoryRealm.url = ldap://ldap.test.com:389
#activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
#activeDirectoryRealm.authorizationCachingEnabled = false

1. 1. 1. A sample for configuring LDAP Directory Realm
         ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
   2. search base for ldap groups (only relevant for LdapGroupRealm):
      ldapRealm.contextFactory.environment[ldap.searchBase] = DC=XXXXX,DC=XXXXX,DC=com
      ldapRealm.contextFactory.url = ldap://msbchilddc01.XXXXX.XXXXX.com:389
      ldapRealm.userDnTemplate = CN={0},ou=LdapService,DC=XXXXX,DC=XXXXX,DC=com
      ldapRealm.contextFactory.authenticationMechanism = simple
      securityManager.realms = $ldapRealm

1. 1. 1. A sample PAM configuration
         #pamRealm=org.apache.zeppelin.realm.PamRealm
         #pamRealm.service=sss
         #securityManager.realms = $pamRealm

1. 1. 1. A sample for configuring ZeppelinHub Realm
         #zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
   2. Url of ZeppelinHub
      #zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com
      #securityManager.realms = $zeppelinHubRealm

1. 1. A same for configuring Knox SSO Realm
      #knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
      #knoxJwtRealm.providerUrl = https://domain.example.com/
      #knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html
      #knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
      #knoxJwtRealm.logoutAPI = true
      #knoxJwtRealm.redirectParam = originalUrl
      #knoxJwtRealm.cookieName = hadoop-jwt
      #knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knox-sso.pem
      #
      #knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
      #knoxJwtRealm.principalMapping = principal.mapping
      #authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

1. 1. 1. If caching of user is required then uncomment below lines
         #cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
         #securityManager.cacheManager = $cacheManager

1. 1. 1. Enables 'HttpOnly' flag in Zeppelin cookies
         cookie = org.apache.shiro.web.servlet.SimpleCookie
         cookie.name = JSESSIONID
         cookie.httpOnly = true
      2. Uncomment the below line only when Zeppelin is running over HTTPS
         #cookie.secure = true
         sessionManager.sessionIdCookie = $cookie

securityManager.sessionManager = $sessionManager

1. 86,400,000 milliseconds = 24 hour
   securityManager.sessionManager.globalSessionTimeout = 86400000
   shiro.loginUrl = /api/login

[roles]
role1 = *
role2 = *
role3 = *
admin = *

[urls]

1. This section is used for url-based security. For details see the shiro.ini documentation.
   #
2. You can secure interpreter, configuration and credential information by urls.
3. Comment or uncomment the below urls that you want to hide:
4. anon means the access is anonymous.
5. authc means form based auth Security.
   #
6. IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request
7. in the order they are defined and the FIRST MATCH WINS.
   #
8. To allow anonymous access to all but the stated urls,
9. uncomment the line second last line (/** = anon) and comment the last line (/** = authc)
   #
   /api/version = anon
10. Allow all authenticated users to restart interpreters on a notebook page.
11. Comment out the following line if you would like to authorize only admin users to restart interpreters.
    /api/interpreter/setting/restart/** = authc
    /api/interpreter/** = authc, roles[admin]
    /api/configurations/** = authc, roles[admin]
    /api/credential/** = authc, roles[admin]
    #/** = anon
    /** = authc