Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Apache Ranger LDAP / LDAPS configuration

avatar
author-rank tarekabouzeid91
Expert Contributor

Created on ‎06-07-2021 11:09 PM - edited on ‎06-08-2021 02:37 AM by Moderator

Following are the configurations for connecting Apache Ranger with LDAP/LDAPS. There's an important tool that will help identify some settings in your AD AD Explorer - Windows Sysinternals | Microsoft Docs.

This configuration will sync LDAP users and link them with their LDAP groups every 12 hours, so later from Apache Ranger, you can give permission based on LDAP groups as well.

For connecting using LDAPS, ensure you have the proper certificates added in the same server that contains the Ranger's UserSync service.

Configuration Name Configuration Value Comment
ranger.usersync.source.impl.class org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder  
ranger.usersync.sleeptimeinmillisbetweensynccycle 12 hour  
ranger.usersync.ldap.url ldaps://myldapserver.example.com ldaps or ldap based on your LDAP security
ranger.usersync.ldap.binddn myuser@example.com  
ranger.usersync.ldap.ldapbindpassword mypassword  
ranger.usersync.ldap.searchBase OU=hadoop,DC=example,DC=com You can browse your AD and check which OU you want to make Ranger sync
ranger.usersync.ldap.user.searchbase OU=hadoop2,DC=example,DC=com;OU=hadoop,DC=example,DC=com You can browse your AD and check which OU you want to make Ranger sync, you can also add 2 OU and separate them with ;
ranger.usersync.ldap.user.objectclass user double-check the same 
ranger.usersync.ldap.user.searchfilter (memberOf=CN=HADOOP_ACCESS,DC=example,DC=com) if you want to filter specific users to be synced in Ranger and not your entire AD
ranger.usersync.ldap.user.nameattribute sAMAccountName double-check the same
ranger.usersync.ldap.user.groupnameattribute memberOf double check the same
ranger.usersync.user.searchenabled true  
ranger.usersync.group.searchbase OU=hadoop,DC=example,DC=com You can browse your AD and check which OU you want to make Ranger sync
ranger.usersync.group.objectclass group double-check the same
ranger.usersync.group.searchfilter (cn=hadoop_*) if you want to sync specific groups not all AD groups
ranger.usersync.group.nameattribute cn double-check the same
ranger.usersync.group.memberattributename member double-check the same
ranger.usersync.group.search.first.enabled true  
ranger.usersync.truststore.file /path/to/truststore-file  
ranger.usersync.truststore.password
 TRUST_STORE_PASSWORD  

 

Here is a helpful link on how to construct complex LDAP search queries. Search Filter Syntax - Win32 apps | Microsoft Docs

 

Disclaimer from Cloudera: This article is contributed by an external user. Steps/ Content may not be technically verified by Cloudera and may not be applicable for all use cases and specifically to a particular distribution. Follow with caution and own risk. If needed, raise a support case to get the confirmation.

1,552 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎06-08-2021 02:37 AM
Updated by:
Moderator