https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-users-from-ad-group-not-synced-with-sAMAccountName/m-p/180405#M67735 <P>Thanks! didn't see that issue, awesome that it's already fixed in 0.7.2</P> Mon, 11 Sep 2017 12:45:19 GMT thorsten_krause 2017-09-11T12:45:19Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-users-from-ad-group-not-synced-with-sAMAccountName/m-p/180402#M67732 <P>Hello, </P><P>I'm currently stuck on trying to configure ranger-usersync properly with our Active Directory.</P><P>Platform: HDP 2.6.1.0 on RHEL 7 with Ambari 2.5.1.0</P><P>I followed this article:</P><P><A href="https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm.html" target="_blank">https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm.html</A></P><P>I want to use "Group based search".</P><P>The sync works fine when “Enable User Search” is set to “false”.</P><P>Problem is that the outcome is the CN of the user, which equals "[first name] [last name] [someID]".</P><P>This in turn cannot be mapped by HDFS to Kerberos tickets, which equal [someID]@EXAMPLE.DOMAIN.COM.</P><P>Therefore I want to enable "User Search" with this configuration:</P><PRE>ranger.usersync.ldap.user.nameattribute = sAMAccountName ranger.usersync.ldap.user.objectclass = person ranger.usersync.ldap.searchbase = DC=EXAMPLE,DC=DOMAIN,DC=COM ranger.usersync.ldap.searchfilter = sAMAccountName=* ranger.usersync.ldap.searchscope = sub ranger.usersync.ldap.user.groupnameattribute = memberof,ismemberof ranger.usersync.group.usermapsyncenabled = true ranger.usersync.user.searchenabled = true</PRE><P>Configuration for groups is the same as mentioned in the article.</P><P>--&gt; Goal is to fetch the groups using Attribute cn and fetch all members of those groups as received per the attribute "member". And to create the users from this, bu create them using the attribute "sAMAccountName" of the user.</P><P>Hope somebody can help me, thanks!</P> Thu, 07 Sep 2017 20:58:23 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-users-from-ad-group-not-synced-with-sAMAccountName/m-p/180402#M67732 thorsten_krause 2017-09-07T20:58:23Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-users-from-ad-group-not-synced-with-sAMAccountName/m-p/180403#M67733 <P>Seem like I found the basic problem: </P><P style="margin-left: 20px;">when I disable "incremental sync", the users are created correctly.</P><P>Is this desired behaviour or a bug? </P> Thu, 07 Sep 2017 20:58:24 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-users-from-ad-group-not-synced-with-sAMAccountName/m-p/180403#M67733 thorsten_krause 2017-09-07T20:58:24Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-users-from-ad-group-not-synced-with-sAMAccountName/m-p/180404#M67734 <A rel="user" href="https://community.cloudera.com/users/41161/thorstenkrause.html" nodeid="41161">@Th Kr</A><P>This issue has been fixed recently (https://issues.apache.org/jira/browse/RANGER-1632).</P> Sat, 09 Sep 2017 06:32:47 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-users-from-ad-group-not-synced-with-sAMAccountName/m-p/180404#M67734 spolavarapu 2017-09-09T06:32:47Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-users-from-ad-group-not-synced-with-sAMAccountName/m-p/180405#M67735 <P>Thanks! didn't see that issue, awesome that it's already fixed in 0.7.2</P> Mon, 11 Sep 2017 12:45:19 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-users-from-ad-group-not-synced-with-sAMAccountName/m-p/180405#M67735 thorsten_krause 2017-09-11T12:45:19Z