Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How does the gid associate the groupname in the group info in Ranger Usersync with LDAP?

avatar
Rising Star

I'm trying to sync users and groups from LDAP into Ranger using Ranger Usersync.

How do I associate the groupname in the group info and the gid in the user and the group info?

In my LDAP server, the user info has the gid, but does not have the groupname.

I tried LDAP Usersync, but I can't get groupnames. Ranger UI only displaied the gid.

796-スクリーンショット-2015-12-14-141150.png

I had tried after setting ranger.usersync.group.searchenabled to true, but I could not get groupnames again.

The usersync.log showed the folloing logs:

INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: user1, groupList: []
INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: user2, groupList: []
・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・

INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user1, groups: []
ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user1, groups: []
INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user2, groups: []ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user2, groups: []

Settings of usersync was as follows :

ranger.usersync.source.impl.class = org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
ranger.usersync.ldap.user.searchscope = sub
ranger.usersync.ldap.user.searchfilter = (space)
ranger.usersync.ldap.user.searchbase = ou=account,dc=TEST
ranger.usersync.ldap.user.objectclass = user
ranger.usersync.group.memberattributename = member
ranger.usersync.group.nameattribute = cn
ranger.usersync.group.objectclass = group
ranger.usersync.group.searchbase = ou=group,dc=TEST
ranger.usersync.group.searchenabled = true
ranger.usersync.group.searchfilter = (space)
ranger.usersync.group.searchscope = (space)
ranger.usersync.ldap.searchBase = dc=TEST
ranger.usersync.ldap.user.groupnameattribute = gidNumber
ranger.usersync.ldap.user.nameattribute = uid

The user and group setting is as follows:

・User

dn: uid=user1,ou=user,dc=TEST
uid: user1
objectClass: user
uidNumber: 10
gidNumber: 50100
cn: user1

・Group

dn: cn=group1,ou=group,dc=TEST
cn: group1
objectClass: group
gidNumber: 50100
member: user1

Please let me know what I should check.

Version

HDP 2.3.0.0
Ranger 0.5.0.2.3

I have bad English, so I apologize if I say something strange.

Thanks.

1 ACCEPTED SOLUTION

avatar

Please refer to the Ranger user sync doc...some of the properties may not have been set as recommended by the doc:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...

Can you try changing the below property:

ranger.usersync.ldap.user.groupnameattribute

..to the below value instead? Then restart Ranger components via Ambari (while tailing the same log file) and check Ranger UI again?

memberof, ismemberof

View solution in original post

14 REPLIES 14

avatar

Please refer to the Ranger user sync doc...some of the properties may not have been set as recommended by the doc:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...

Can you try changing the below property:

ranger.usersync.ldap.user.groupnameattribute

..to the below value instead? Then restart Ranger components via Ambari (while tailing the same log file) and check Ranger UI again?

memberof, ismemberof

avatar
Rising Star

Thank you for your reply and telling me the document.

I tried setting "memberof, ismemberof" to "ranger.usersync.ldap.user.groupnameattribute" and restarted Ranger.

However, I could not resolve this problem and the logs showed the same content.

I will make sure the settings again.

avatar

Just to confirm: the Ranger Usersync component was restarted? Also what LDAP are you using? (e.g. is it AD or IPA or OpenLDAP etc)

avatar
Rising Star

@Ali Bajwa

After restarting Ranger Usersync, I got the below logs.

LdapUserGroupBuilder initialization completed with -
ldapAuthenticationMechanism: simple,
searchBase: dc=TEST,
userSearchBase: ou=user,dc=TEST,
userSearchFilter: ,
extendedUserSearchFilter: (objectclass=user),
userNameAttribute: uid,
userSearchAttributes: [uid, memberof, ismemberof],
userGroupNameAttributeSet: [memberof, ismemberof],
groupSearchEnabled: true,
groupSearchBase: ou=group,dc=TEST,
groupSearchFilter: ,
extendedGroupSearchFilter: (&(objectclass=group)(member={0})),
extendedAllGroupsSearchFilter: (&(objectclass=group)),
groupMemberAttributeName: member,
groupNameAttribute: cn, 

Using LDAP type is AD.

avatar

Other than the doc link above, you can check these sample configs we used to get Ranger user sync working with AD on HDP 2.3

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-Kerberos-ActiveDirectory.MD#ranger...

avatar
Rising Star

Thank you for telling me the other document.

I had tried changing some settings, but I have not solubed yet.

avatar
Rising Star

I tried looking up the source code for Ranger Usersync.

getUserGroups method in LdapUserGroupBuilder class.

groupSearchResultEnum = ldapContext.search(
				groupSearchBase,
				extendedGroupSearchFilter,
				new Object[]{userInfo.getUserFullName()},
				groupSearchControls);

userInfo.getUserFullName() returns "uid=user1,ou=user,dc=TEST".

I suspect this is too long and userInfo.getUserName() method is more appropriate.

avatar

+ @sneethiraj to comment.

In our usage, ranger user sync with AD has worked fine with the above configuration

avatar
Expert Contributor

Hi @Junichi Oda,

In most of the deployments in general, the group's member attribute contains the distinguished name (or dn which is the full name) of the user (as mentioned in the Microsoft documentation https://msdn.microsoft.com/en-us/library/windows/d....

Hence we specifically used the full name of the user in the group search filter. But looks like in your case, the member attribute doesn't contain the dn of the user.

Just curious, how come there is no "memberof" attribute for the user? In most of the AD deployments, "memberof" attribute of user and "member" attribute of group are two way links and AD automatically updates the other if one is modified. Which version of AD are you using?

May be we can make this a configurable parameter?