question Ranger LDAP groups not working in Support Questions

Ranger LDAP groups not working

david_j_william — Fri, 10 Nov 2017 22:59:18 GMT

I have successfully setup Ranger LDAP sync. I can see all users and mapped groups in Ranger. I also have added my machines to our domain and I am able to see the group mappings from active directory by typing hdfs groups username. However, when I try to add an AD group to an HDFS folder through ranger the users in that group are still denied. Any suggestions?

Re: Ranger LDAP groups not working

spolavarapu — Sat, 11 Nov 2017 03:35:59 GMT

@David Williamson

Please take at look at the following link if this helps:

https://community.hortonworks.com/articles/145832/ranger-user-sync-issues-due-to-case-difference.html

Re: Ranger LDAP groups not working

david_j_william — Sat, 11 Nov 2017 03:48:58 GMT

Well I am not sure if that really applies to my situation. For example, I can add a user to the ranger pollicy and the ranger permissions work, but if I add a group instead it does not work.

Re: Ranger LDAP groups not working

spolavarapu — Fri, 17 Nov 2017 02:45:04 GMT

@David Williamson,

Can you check the ranger audit logs and see which policy is denying access? Also, you can enable debug logs on the hdfs and see what is the group name sent as part of the authorization request to ranger.

If you can post the output of the "hdfs groups" for the failed case and the corresponding group names for policy configuration, that will be helpful.

Thanks,

Sailaja.

Re: Ranger LDAP groups not working

david_j_william — Fri, 17 Nov 2017 22:37:52 GMT

After changing the case for the groups and reimporting everything then it synced from the hosts and now everything is working.

Re: Ranger LDAP groups not working

BGabor — Fri, 02 Oct 2020 09:59:16 GMT

Did you change only the groups to lowercase?

Re: Ranger LDAP groups not working

BGabor — Fri, 09 Oct 2020 18:45:00 GMT

It's working for me now with our AD. I had to add the group as external with @domainname.com, even if Ranger imports this without. You don't have to do anything else. The reason for this: in our environment if I executing groups [userid], I get the AD Groups in FQDN format, so you have to have it in Ranger in FQDN format too.