Created 11-08-2016 02:29 PM
Hello experts
We have HDP 2.3.2 with Ranger 0.5 that is configured to sync users & groups from Active Directory. SSSD is configured in all machines.
ranger.usersync.ldap.user.searchbase & ranger.usersync.group.searchbase are configured to the relevant OUs.
Usersync does sync users and maps to their AD groups without a problem. I'm able to grant users permissions using Ranger but i'd rather manage groups and not users. When i search for groups in Ranger i can only see groups that have been mapped from the synced users - and not all the groups in the ranger.usersync.group.searchbase OU. Bottom line, usersync syncs only users & their own groups - but not groups that are in the anger.usersync.group.searchbase OU.
All groups in Ranger are from source "Internal" and none "external".
I've set the following values under "Advanced ranger-ugsync-site":
ranger.usersync.ldap.user.groupnameattribute
ranger.usersync.group.nameattribute
ranger.usersync.group.searchbase
ranger.usersync.group.searchenabled = true
ranger.usersync.group.usermapsyncenabled = true
Any ideas why usersync does not sync the groups ?
Regards,
Adi
Created 11-09-2016 05:15 PM
It seems that Ranger 0.5 retrieves just the groups that hold the users that it synced. Empty groups are not retrieved. In Ranger 0.6 it is fixed.
Created 11-08-2016 06:12 PM
Can you please check once the property value set in configs as per - https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.0.0/bk_Ambari_Security_Guide/content/setting_up...
Also if possible please attach ranger ugsync logs.
Created on 11-09-2016 08:25 AM - edited 08-18-2019 03:53 AM
@Sagar Shimpi Thank you for replying.
I've completed all configurations for group mapping as described in the document, and group mapping works. The problem is that usersync does not import groups from LDAP. Just users and creates their groups as internal. This means that groups from ldap which have no users (new groups) are unavailable in Ranger.
I can't attach the logs because they hold names and addresses from out production environment, however i can attach the beginning of the log file which shows the values for usersync and i can tell you that there are no errors in the log.
Here is the problem in screenshots:
Users from Active Directory and their respectable groups:
Groups are only "internal"
No external groups:
The begining of the log (i did change some of the OU names for privacy reasons):
09 Nov 2016 09:21:19 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder 09 Nov 2016 09:21:19 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 09 Nov 2016 09:21:19 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 09 Nov 2016 09:21:19 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started 09 Nov 2016 09:21:19 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://<myldapserver>:389, ldapBindDn: CN=<ldapuser>,OU=<blabla>,OU=Users,OU=Administration,DC=corp,DC=cellcom,DC=co,DC=il, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: OU=Administration,DC=corp,DC=cellcom,DC=co,DC=il, userSearchBase: OU=<usersOU>,OU=<parentou>,OU=Organization,OU=Administration,DC=corp,DC=cellcom,DC=co,DC=il, userSearchScope: 2, userObjectClass: person, userSearchFilter: objectclass=top, extendedUserSearchFilter: (&(objectclass=person)(objectclass=top)), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName, ismemberof, memberof], userGroupNameAttributeSet: [ismemberof, memberof], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: OU=<ouforgroups>,OU=<parentou>,DC=corp,DC=cellcom,DC=co,DC=il, groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: , extendedGroupSearchFilter: (&(objectclass=group)(member={0})), extendedAllGroupsSearchFilter: (&(objectclass=group)), groupMemberAttributeName: member, groupNameAttribute: distinguishedName, groupUserMapSyncEnabled: true, ldapReferral: ignore
I would expect usersync to import groups from the groups OU thanks to the following:
groupSearchEnabled: true, groupSearchBase: OU=<ouforgroups>,OU=<parentou>,DC=corp,DC=cellcom,DC=co,DC=il,
Any ideas ?
Created 11-09-2016 05:15 PM
It seems that Ranger 0.5 retrieves just the groups that hold the users that it synced. Empty groups are not retrieved. In Ranger 0.6 it is fixed.
Created 11-09-2016 07:13 PM
Yes and I see an internal RPM filed with Hortonworks - https://hortonworks.jira.com/browse/RMP-4999
and is Fixed in HDP2.5 version.
Created 02-09-2017 09:01 AM
1. I'm have upgraded to HDP-2.5.3.0 with Ranger 0.6.0.2.5 1-2 months ago. I have the same issue with users=external and groups=internal, and unfortunately I don't have access to the jira.com link. Should I do anything for this to start working normally ?
2. Users "First Name", "Last Name" and "Email" + Groups "Description" is not synced correctly - where do I change this ?
3. Filters on User + Group sync doesn't seem to have effect eventhough I have configured:
- User Config -> User Search Filter: "membersOf=CN=<GROUP>,OU=<OU1>,OU=<OU2>,DC=<DC1>,DC=<DC2>"
- Group Configs -> Group Search Filter: "CN=<PART_OF_GROUP*>"
Perhaps these are all related... otherwise just disregard question 2+3 🙂
Thanks in advance 🙂 !