question Re: Ranger usersync don't sync ldap groups with memberUid in Archives of Support Questions (Read Only)

Ranger usersync don't sync ldap groups with memberUid

blanca_sanz — Thu, 28 Apr 2016 13:31:23 GMT

Hello,

First of all, sorry for my english. When I try to sync ldap with memberUid, only sync users but don't sync groups. This is the part in the log with groups part:

 groupSearchEnabled: true,  groupSearchBase: ou=Samba,dc=example,dc=es,  groupSearchScope: 2,  groupObjectClass: posixGroup,  groupSearchFilter: cn=*,  extendedGroupSearchFilter: (&(objectclass=posixGroup)(cn=*)(memberUid={0})),  extendedAllGroupsSearchFilter: (&(objectclass=posixGroup)(cn=*)),  groupMemberAttributeName: memberUid,  groupNameAttribute: cn,  groupUserMapSyncEnabled: false,  ldapReferral: ignore

The problem is that in my LDAP this is the search for groups:

slapd[8101]: conn=1034 op=6 SRCH base="ou=Samba,dc=example,dc=es" scope=2 deref=3 filter="(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))"

Allways append memberUid=uid=user.user,ou=Users,dc=example,dc=es

But we need memberUid=user.user

The following search:

ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))'

Doesn't bring any result. I need this correct search:

ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=user.user))'

Other thing: with the script run.sh in the ldaptool the groups are sync correctly.

Please, help!!

Thanks

Re: Ranger usersync don't sync ldap groups with memberUid

aromero — Thu, 28 Apr 2016 16:42:54 GMT

@Blanca Sanz As a workaround, if the groups you want to sync are associated to the users through the memberOf or ismemberof properties, then you can just disable Group Sync (set Enable Group Sync to No). That will make groups to be sync'd based on the User Search Filter through the memberof property. For example:

User Search Filter:

(|(memberOf=CN=Group1,OU=Users,DC=example,DC=es)(memberOf=CN=Group2,OU=Users,DC=example,DC=es))

User Group Name Attribute:

memberOf

That will sync those groups with Ranger and all associated users that are members of those groups.

Re: Ranger usersync don't sync ldap groups with memberUid

blanca_sanz — Thu, 28 Apr 2016 17:47:27 GMT

Thanks for the answer, but I am using memberUid because I don't have the memberOf properties in my LDAP. It is for that reason that I'm trying to use memberUid.

Re: Ranger usersync don't sync ldap groups with memberUid

spolavarapu — Fri, 29 Apr 2016 00:32:28 GMT

@Blanca Sanz

Currently ranger usersync support group sync based on the user's full name. Searching LDAP groups based on user's short name (which is usually the case with memberuid attribute value) is going to be supported in upcoming releases. The corresponding apache Jira can be found at https://issues.apache.org/jira/browse/RANGER-893.

Meanwhile the work around is to use File based Sync source.

Re: Ranger usersync don't sync ldap groups with memberUid

blanca_sanz — Fri, 29 Apr 2016 14:21:09 GMT

@spolavarapu Thanks for your answer, that is exactly what I was looking for. So I wait for the next release, it will be soon?

Meanwhile, I would try to use File based Sync.