- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Created on
06-07-2021
11:09 PM
- edited on
06-08-2021
02:37 AM
by
subratadas
Following are the configurations for connecting Apache Ranger with LDAP/LDAPS. There's an important tool that will help identify some settings in your AD AD Explorer - Windows Sysinternals | Microsoft Docs.
This configuration will sync LDAP users and link them with their LDAP groups every 12 hours, so later from Apache Ranger, you can give permission based on LDAP groups as well.
For connecting using LDAPS, ensure you have the proper certificates added in the same server that contains the Ranger's UserSync service.
| Configuration Name | Configuration Value | Comment |
| ranger.usersync.source.impl.class | org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder | |
| ranger.usersync.sleeptimeinmillisbetweensynccycle | 12 hour | |
| ranger.usersync.ldap.url | ldaps://myldapserver.example.com | ldaps or ldap based on your LDAP security |
| ranger.usersync.ldap.binddn | myuser@example.com | |
| ranger.usersync.ldap.ldapbindpassword | mypassword | |
| ranger.usersync.ldap.searchBase | OU=hadoop,DC=example,DC=com | You can browse your AD and check which OU you want to make Ranger sync |
| ranger.usersync.ldap.user.searchbase | OU=hadoop2,DC=example,DC=com;OU=hadoop,DC=example,DC=com | You can browse your AD and check which OU you want to make Ranger sync, you can also add 2 OU and separate them with ; |
| ranger.usersync.ldap.user.objectclass | user | double-check the same |
| ranger.usersync.ldap.user.searchfilter | (memberOf=CN=HADOOP_ACCESS,DC=example,DC=com) | if you want to filter specific users to be synced in Ranger and not your entire AD |
| ranger.usersync.ldap.user.nameattribute | sAMAccountName | double-check the same |
| ranger.usersync.ldap.user.groupnameattribute | memberOf | double check the same |
| ranger.usersync.user.searchenabled | true | |
| ranger.usersync.group.searchbase | OU=hadoop,DC=example,DC=com | You can browse your AD and check which OU you want to make Ranger sync |
| ranger.usersync.group.objectclass | group | double-check the same |
| ranger.usersync.group.searchfilter | (cn=hadoop_*) | if you want to sync specific groups not all AD groups |
| ranger.usersync.group.nameattribute | cn | double-check the same |
| ranger.usersync.group.memberattributename | member | double-check the same |
| ranger.usersync.group.search.first.enabled | true | |
| ranger.usersync.truststore.file | /path/to/truststore-file | |
|
ranger.usersync.truststore.password
|
TRUST_STORE_PASSWORD |
Here is a helpful link on how to construct complex LDAP search queries. Search Filter Syntax - Win32 apps | Microsoft Docs
Disclaimer from Cloudera: This article is contributed by an external user. Steps/ Content may not be technically verified by Cloudera and may not be applicable for all use cases and specifically to a particular distribution. Follow with caution and own risk. If needed, raise a support case to get the confirmation.
