question Re: Ranger AD usersync : ERROR UserGroupSync [UnixUserSyncThread] Connection refused in Archives of Support Questions (Read Only)

Ranger AD usersync : ERROR UserGroupSync [UnixUserSyncThread] Connection refused

kamlepooja_raje — Thu, 13 Jul 2017 18:45:43 GMT

Hi, I am trying to do Ranger AD usersync (HDP version: 2.4.3 and Ambari version: 2.2.2.0) . When I try to do it manually from Ambari UI or pass the configuration through the blueprint, I get following error:

ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details: com.sun.jersey.api.client.ClientHandlerException: java.net.ConnectException: Connection refused (Connection refused)

Not sure, where the problem is. Ping and telnet to the AD server is also successful.

Also, LDAP cert was loaded into a trustStore using following command:

keytool -import -trustcacerts -alias myldap1 -file mycertfile.pem -keystore /etc/pki/java/cacerts

Any solution please?

Attaching usersync.log file.usersync.txt

Re: Ranger AD usersync : ERROR UserGroupSync [UnixUserSyncThread] Connection refused

dsharma — Fri, 14 Jul 2017 13:34:53 GMT

can you please post the configuration that you gave in ranger usersync config ?

did you specify ldap/ldaps protocol and correct port while configuring usersync

Re: Ranger AD usersync : ERROR UserGroupSync [UnixUserSyncThread] Connection refused

kamlepooja_raje — Fri, 14 Jul 2017 14:13:15 GMT

@Deepak Sharma Thanks for your reply. Following are my usersync configs:

Sync Source: LDAP/AD

LDAP/AD URL: ldaps://<server>:636

Authentication method: ACTIVE_DIRECTORY

Username Attribute: cn

User Object Class: user

User Search Filter: cn=*

User Search Scope: sub

User Group Name Attribute: memberof

Group Member Attribute: member

Group Name Attribute: cn

Group Object Class: group

Group Search Filter: cn=*

Also, these configs worked with a different Ranger that I had configured before wit the same LDAP cert file. But now I don't understand what the issue is.

Re: Ranger AD usersync : ERROR UserGroupSync [UnixUserSyncThread] Connection refused

rbiswas1 — Sat, 15 Jul 2017 02:33:32 GMT

Hi @Pooja Kamle

Can you check and post the permissions on these two files:

/usr/hdp/current/ranger-usersync/conf/ugsync.jceks
/usr/hdp/current/ranger-usersync/conf/.ugsync.jceks.crc

Also check the permissions of these two files on the other ranger that is working and verify if they are the same.

Re: Ranger AD usersync : ERROR UserGroupSync [UnixUserSyncThread] Connection refused

spolavarapu — Sat, 15 Jul 2017 02:36:22 GMT

@Pooja Kamle

From the posted usersync logs, it looks like the communication between ranger admin and ranger usersync is failing. Do you have https enabled for ranger admin? If so, please add the ranger admin cert to usersync trust store.

Usersync contacts ranger admin (database) to update the users and groups that are sync'd from AD.

Re: Ranger AD usersync : ERROR UserGroupSync [UnixUserSyncThread] Connection refused

kamlepooja_raje — Mon, 17 Jul 2017 21:09:12 GMT

I found the issue. My Ranger admin and ranger database reside on different nodes. I was giving the database host instead of Ranger admin host in "policymgr_external_url" property. Correcting it solved the issue. Thanks for your reply.