question Re: Ranger + AD: sync users from groups question in Support Questions

Ranger + AD: sync users from groups question

nord_tramper — Fri, 16 Sep 2022 11:39:55 GMT

Hi, all!

Environment:

RHEL 7.2 + Winbind

HDP 2.5

Ranger 0.6.0.2.5

AD: Windows 2008 R2 Server

User sync and group sync configured.

QUESTION:

I have some groups in AD with users inside. User in group pointed as member=CN=FirstName LastName, DN=EXAMPLE, DN=COM

Exactly the same FirstName LastName synced inside Ranger while usersync working. However Ranger use sAMAccountName in policy and sAMAccountName came from Kerberos.

Is it possible to sync user from groups with sAMAccountName instead of CN?

Re: Ranger + AD: sync users from groups question

bandarusridhar1 — Fri, 26 May 2017 21:19:04 GMT

@Nikita Kiselev

Yes, we can. We need to make appropriate filters and search parameters. You can follow the below link and your AD team would be able to help you.

https://cwiki.apache.org/confluence/display/RANGER/LDAP+Connection+Check+Tool

Re: Ranger + AD: sync users from groups question

gbrahmi — Fri, 26 May 2017 23:53:35 GMT

@Nikita Kiselev Yes it is possible to sync the sAMAccountName for the user from AD/LDAP. In Ranger configuration you have to make sure that the value for ranger.usersync.ldap.user.nameattribute is looking for sAMAccountName instead of CN.

If it works do up vote the answer.

Re: Ranger + AD: sync users from groups question

spolavarapu — Sat, 27 May 2017 01:27:18 GMT

@Nikita Kiselev

To add on to the above replies, if you want to sync users from some groups, I would suggest you to do the following:

1. "Enable Group Sync" - Set to "true"

2. Configure all the properties related to Group Config based on the OU and group name that you want to filter.

3. "Enable Group First Search" - Set to "true"

4. Go to "User Configs" tab and "Enable User Search" - Set to "true"

5. Configure all the properties related to User Config with "sAMAccountName" as the value for "UserName attribute"

For more details please refer to the below apache jira and the document attached in the jira:

https://issues.apache.org/jira/browse/RANGER-869

Re: Ranger + AD: sync users from groups question

nord_tramper — Mon, 29 May 2017 15:54:37 GMT

Thanks, all!

I have all settings in place but was not sure that it is correct. Only thing that prevent from correct sync was User Filter where I restrict only exact user list and new users for groups can't be synced into Ranger because of filter

Re: Ranger + AD: sync users from groups question

spolavarapu — Tue, 30 May 2017 23:45:38 GMT

@Nikita Kiselev,

Can you share your configuration before setting the User Filter with exact user list?

Re: Ranger + AD: sync users from groups question

nord_tramper — Wed, 31 May 2017 15:54:44 GMT

@spolavarapu

Filter on user was there for ages. And a short time ago sync user from groups task appears and looks like the filter prevent user from sync

Re: Ranger + AD: sync users from groups question

spolavarapu — Thu, 01 Jun 2017 01:36:15 GMT

@Nikita Kiselev

Just now I posted an article related to this topic. I tried to explain with some examples. Please check it out.

https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm.html

Re: Ranger + AD: sync users from groups question

nord_tramper — Thu, 01 Jun 2017 14:59:21 GMT

@spolavarapu thank! It is exactly my case