Support Questions

Find answers, ask questions, and share your expertise

Error while configuring AD usersync on HDP 2.4.3

avatar
Expert Contributor

I keep encountering errors with usersync config on HDP 2.4.3. I am trying to sync users with AD and be able to log into Ranger Admin with the AD details.

25 Aug 2017 09:41:59 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
com.sun.jersey.api.client.UniformInterfaceException: GET http://domain:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:358)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:156)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:152)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
        at java.lang.Thread.run(Thread.java:745)

xa-portal.txt

1 ACCEPTED SOLUTION

avatar
Expert Contributor

With HDP 2.6.0, i was able to configure ranger with AD. Only needed to create the amb_ranger_admin user that was missing in Ranger UI.

View solution in original post

9 REPLIES 9

avatar
Master Mentor

@Joshua Adeleke

You have a configuration issue, your search filter is not correct hence throwing

[LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'dc=domain,dc=config,dc=com']

Can you align your setup with this official document attached?

Can you past here your AD configurations and maybe the steps you went through.

avatar
Expert Contributor

@Geoffrey Shelton Okot Thank you. I have aligned my setup with the attached document but i still get the errors below from usersync.log and xa_portal.log. I'm thinking the change i made to the usersync user could be an issue but i made sure the rangerusersync user in ranger admin has the same password as the one i configured using the updatepasswordpolicy.py script. Not sure what else is the issue. Running a curl command on "GET http://domain.config.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0" and it worked. Also tested my AD Bind user elsewhere and it works fine.

31 Aug 2017 07:22:17 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
com.sun.jersey.api.client.UniformInterfaceException: GET http://domain.config.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:358)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:156)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:152)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
        at java.lang.Thread.run(Thread.java:745)
==========================================================================================
2017-08-31 09:18:15,219 [http-bio-6080-exec-5] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:412) - AD Authentication Failed:
org.springframework.security.authentication.BadCredentialsException: Bad credentials
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:185)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
        at org.apache.ranger.security.handler.RangerAuthenticationProvider.getADBindAuthentication(RangerAuthenticationProvider.java:405)

....

Caused by: org.springframework.security.ldap.authentication.ad.ActiveDirectoryAuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:220)
        ... 37 more
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider$ContextFactory.createContext(ActiveDirectoryLdapAuthenticationProvider.java:345)
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:179)
        ... 35 more

avatar
Expert Contributor
ranger.ldap.ad.domain=DC=domain,DC=config,DC=com
ranger.ldap.ad.url=ldap://domain.config.com:389
ranger.ldap.ad.base.dn=DC=domain,DC=config,DC=com
ranger.ldap.ad.bind.dn=DOMAIN\binduser
ranger.ldap.ad.bind.password=XXXX
ranger.ldap.ad.referral=follow
ranger.ldap.group.searchbase=DC=domain,DC=config,DC=com
ranger.ldap.group.searchfilter=(member=cn={0},ou=Users,DC=domain,DC=config,DC=com)

avatar
Master Mentor

@Joshua Adeleke

This is what it means " The 401 Unauthorized error is an HTTP status code that means the page you were trying to access cannot be loaded until you first log in with a valid user ID"

How to Fix the 401 Unauthorized Error

  1. Check for errors in the URL. It's possible that the 401 Unauthorized error appeared because the URL was typed incorrectly or the link that was clicked on points to the wrong URL - one that is for authorized users only.
  2. If you're sure the URL is valid, visit the website's main page and look for a link that says Login or Secure Access. Enter your credentials here and then try the page again. If you don't have credentials, follow the instructions provided on the website for setting up an account.
  3. If you're sure the page you're trying to reach shouldn't need authorization, the 401 Unauthorized error message may be a mistake. At that point, it's probably best to contact the webmaster or other website contact and inform them of the problem.

    Tip: The webmaster of some websites can be reached via email at webmaster@website.com, replacing website.com with the actual website name.
  1. The 401 Unauthorized error can also appear immediately after login, which is an indication that the website received your username and password but found something about them to be invalid (e.g. your password is incorrect). Follow whatever process is in place at the website to regain access to their system.

avatar
Expert Contributor
@Geoffrey Shelton Okot

I'm sure the URL error is not an authorization issue or syntax error. Will look more at the group and user filters as an hwx document suggest it might be some settings.

avatar
Expert Contributor
@spolavarapu

I'm getting error above when i configure usersync...

avatar
Master Mentor

@Joshua Adeleke

Are the ranger.ldap.ad.* entries you entered correct ie not the examples in the documentation?

Did you run already the ambari-server sync-ldap to see if your users are captured in the process?

Could you add this values in your parameters?

Group User Map Sync-----Yes 
Username Attribute------sAMAccountName 
User Search Base------valid entries 
User Search Filter------ ?
User Search Scope------ ?
User Group Name Attribute------ 
Enable User Search----Yes

Let me know

avatar
Expert Contributor

With HDP 2.6.0, i was able to configure ranger with AD. Only needed to create the amb_ranger_admin user that was missing in Ranger UI.

avatar
New Contributor

After seeing your post, I found a good information that can be helpful for you. Nayeli is the person you can contact for more free samples. You can send email to her or call her instead.(nayeli@wis-connector.com/ her number as well: TW:+886-2-2790-1979 #66 US: +1 (407) 282-3220 UK: +44-2033896967) You can use some connectors to diversify your ideas. Recently Wisconn Techonolgy, an international connector company offers good quality products. You can search on their web to see whether there are what you need. https://www.wis-connector.com/ By the way, Good luck for finding what you need.