https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117534#M42913 <P><A rel="user" href="https://community.cloudera.com/users/13562/houssammanik.html" nodeid="13562">@Houssam Manik</A> this is configurable within the Ranger User Sync configuration. In particular, the User Configs tab contains the User Group Name Attribute setting (which defaults to memberof,ismemberof) and the Group Configs tab contains the Group Filter settings (which defaults to uniqueMember={0}, where the substituted parameter is the full distinguished name of the user).</P><P>Please see <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/ranger_user_sync_ldap_ad.html">this doc</A>. The LDAP Connection Check Tool is helpful when configuring LDAP properties for Ranger User Sync.</P> Thu, 06 Oct 2016 22:43:44 GMT slachterman 2016-10-06T22:43:44Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117533#M42912 <P>Hello</P><P>What criteria Ranger usses to look up for user in LDAP? </P><P>Which attribute (memberof, uniquemember) ?</P> Thu, 06 Oct 2016 18:04:59 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117533#M42912 houssam_manik 2016-10-06T18:04:59Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117534#M42913 <P><A rel="user" href="https://community.cloudera.com/users/13562/houssammanik.html" nodeid="13562">@Houssam Manik</A> this is configurable within the Ranger User Sync configuration. In particular, the User Configs tab contains the User Group Name Attribute setting (which defaults to memberof,ismemberof) and the Group Configs tab contains the Group Filter settings (which defaults to uniqueMember={0}, where the substituted parameter is the full distinguished name of the user).</P><P>Please see <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/ranger_user_sync_ldap_ad.html">this doc</A>. The LDAP Connection Check Tool is helpful when configuring LDAP properties for Ranger User Sync.</P> Thu, 06 Oct 2016 22:43:44 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117534#M42913 slachterman 2016-10-06T22:43:44Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117535#M42914 <P>Thanks <A rel="user" href="https://community.cloudera.com/users/11295/slachterman.html" nodeid="11295">@slachterman</A> </P><P>So by default we use memberof,ismemberof to get the user group. Can we set it to other value such as uniquemember ?</P> Fri, 07 Oct 2016 03:37:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117535#M42914 houssam_manik 2016-10-07T03:37:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117536#M42915 <P>Yes, <A rel="user" href="https://community.cloudera.com/users/13562/houssammanik.html" nodeid="13562">@Houssam Manik</A> the values are configurable in the Ambari UI. Please accept this answer if it helps to address this question for you.</P> Fri, 07 Oct 2016 03:52:43 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117536#M42915 slachterman 2016-10-07T03:52:43Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117537#M42916 <P><A rel="user" href="https://community.cloudera.com/users/13562/houssammanik.html" nodeid="13562">@Houssam Manik</A></P><P>As <A rel="user" href="https://community.cloudera.com/users/11295/slachterman.html" nodeid="11295">@slachterman</A> says, the LDAP attributes that map to a user's username, group membership, etc., are configurable. The reason for this is because an administrator can modify the directory schema, or the schema may have evolved over time. For Active Directory 2012, the default values you'll want to user are:</P><PRE>User Object Type: person Username Attribute: sAMAccountName Use Group Name Attribute: sAMAccountName Group Member Attribute: member Group Name Attribute: sAMAccountName Group Object Class: group</PRE><P>For FreeIPA, these change to:</P><PRE>User Object Class: posixaccount Username Attribute: uid Use Group Name Attribute: memberOf Group Member Attribute: member Group Name Attribute: cn Group Object Class: posixgroup</PRE><P>The base of the directory where Ranger starts to look for users and groups are specified by the User Search Base and Group Search Base parameters. For AD, you'd want to use something like:</P><PRE>User Search Base: CN=Users,DC=example,DC=com Group Search Gase: CN=Groups,DC=example,DC=com</PRE><P>And for FreeIPA, something similar to:</P><PRE>User Search Base: cn=users,cn=accounts,dc=example,dc=com Group Search Gase: cn=groups,cn=accounts,dc=example,dc=com</PRE><P>You can also specify search filters with syntax similar to:</P><PRE>(|(memberOf=hadoop-admins)(memberOf=hadoop-users))</PRE><P>Here is a guide to <A href="https://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-LDAP_Search_Filters.html">LDAP Search Filters</A> for more information.</P> Sat, 08 Oct 2016 10:17:28 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Rangersync-with-LDAP-user-lookup-criteria/m-p/117537#M42916 emaxwell 2016-10-08T10:17:28Z