question Re: Groups not imported by Ranger User Sync from Active Directory in Support Questions

Groups not imported by Ranger User Sync from Active Directory

Adija1 — Tue, 08 Nov 2016 22:29:53 GMT

Hello experts

We have HDP 2.3.2 with Ranger 0.5 that is configured to sync users & groups from Active Directory. SSSD is configured in all machines.

ranger.usersync.ldap.user.searchbase & ranger.usersync.group.searchbase are configured to the relevant OUs.

Usersync does sync users and maps to their AD groups without a problem. I'm able to grant users permissions using Ranger but i'd rather manage groups and not users. When i search for groups in Ranger i can only see groups that have been mapped from the synced users - and not all the groups in the ranger.usersync.group.searchbase OU. Bottom line, usersync syncs only users & their own groups - but not groups that are in the anger.usersync.group.searchbase OU.

All groups in Ranger are from source "Internal" and none "external".

I've set the following values under "Advanced ranger-ugsync-site":

ranger.usersync.ldap.user.groupnameattribute

ranger.usersync.group.nameattribute

ranger.usersync.group.searchbase

ranger.usersync.group.searchenabled = true

ranger.usersync.group.usermapsyncenabled = true

Any ideas why usersync does not sync the groups ?

Regards,

Adi

Re: Groups not imported by Ranger User Sync from Active Directory

sshimpi — Wed, 09 Nov 2016 02:12:31 GMT

@Adi Jabkowsky

Can you please check once the property value set in configs as per - https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.0.0/bk_Ambari_Security_Guide/content/setting_up_hadoop_group_mappping_for_ldap_ad.html

Also if possible please attach ranger ugsync logs.

Re: Groups not imported by Ranger User Sync from Active Directory

Adija1 — Sun, 18 Aug 2019 10:53:01 GMT

@Sagar Shimpi Thank you for replying.

I've completed all configurations for group mapping as described in the document, and group mapping works. The problem is that usersync does not import groups from LDAP. Just users and creates their groups as internal. This means that groups from ldap which have no users (new groups) are unavailable in Ranger.

I can't attach the logs because they hold names and addresses from out production environment, however i can attach the beginning of the log file which shows the values for usersync and i can tell you that there are no errors in the log.

Here is the problem in screenshots:

Users from Active Directory and their respectable groups:

Groups are only "internal"

No external groups:

The begining of the log (i did change some of the OU names for privacy reasons):

09 Nov 2016 09:21:19 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder 09 Nov 2016 09:21:19 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 09 Nov 2016 09:21:19 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 09 Nov 2016 09:21:19 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started 09 Nov 2016 09:21:19 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://<myldapserver>:389, ldapBindDn: CN=<ldapuser>,OU=<blabla>,OU=Users,OU=Administration,DC=corp,DC=cellcom,DC=co,DC=il, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: OU=Administration,DC=corp,DC=cellcom,DC=co,DC=il, userSearchBase: OU=<usersOU>,OU=<parentou>,OU=Organization,OU=Administration,DC=corp,DC=cellcom,DC=co,DC=il, userSearchScope: 2, userObjectClass: person, userSearchFilter: objectclass=top, extendedUserSearchFilter: (&(objectclass=person)(objectclass=top)), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName, ismemberof, memberof], userGroupNameAttributeSet: [ismemberof, memberof], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: OU=<ouforgroups>,OU=<parentou>,DC=corp,DC=cellcom,DC=co,DC=il, groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: , extendedGroupSearchFilter: (&(objectclass=group)(member={0})), extendedAllGroupsSearchFilter: (&(objectclass=group)), groupMemberAttributeName: member, groupNameAttribute: distinguishedName, groupUserMapSyncEnabled: true, ldapReferral: ignore

I would expect usersync to import groups from the groups OU thanks to the following:

groupSearchEnabled: true, groupSearchBase: OU=<ouforgroups>,OU=<parentou>,DC=corp,DC=cellcom,DC=co,DC=il,

Any ideas ?

Re: Groups not imported by Ranger User Sync from Active Directory

Adija1 — Thu, 10 Nov 2016 01:15:45 GMT

It seems that Ranger 0.5 retrieves just the groups that hold the users that it synced. Empty groups are not retrieved. In Ranger 0.6 it is fixed.

https://issues.apache.org/jira/browse/RANGER-869

Re: Groups not imported by Ranger User Sync from Active Directory

sshimpi — Thu, 10 Nov 2016 03:13:41 GMT

@Adi Jabkowsky

Yes and I see an internal RPM filed with Hortonworks - https://hortonworks.jira.com/browse/RMP-4999

and is Fixed in HDP2.5 version.

Re: Groups not imported by Ranger User Sync from Active Directory

michael2 — Thu, 09 Feb 2017 17:01:16 GMT

1. I'm have upgraded to HDP-2.5.3.0 with Ranger 0.6.0.2.5 1-2 months ago. I have the same issue with users=external and groups=internal, and unfortunately I don't have access to the jira.com link. Should I do anything for this to start working normally ?

2. Users "First Name", "Last Name" and "Email" + Groups "Description" is not synced correctly - where do I change this ?

3. Filters on User + Group sync doesn't seem to have effect eventhough I have configured:

- User Config -> User Search Filter: "membersOf=CN=<GROUP>,OU=<OU1>,OU=<OU2>,DC=<DC1>,DC=<DC2>"

- Group Configs -> Group Search Filter: "CN=<PART_OF_GROUP*>"

Perhaps these are all related... otherwise just disregard question 2+3 🙂

Thanks in advance 🙂 !