Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How does the gid associate the groupname in the group info in Ranger Usersync with LDAP?

Labels:
avatar
author-rank joda
Rising Star

Created on ‎12-14-2015 06:06 AM - edited ‎08-19-2019 05:38 AM

I'm trying to sync users and groups from LDAP into Ranger using Ranger Usersync.

How do I associate the groupname in the group info and the gid in the user and the group info?

In my LDAP server, the user info has the gid, but does not have the groupname.

I tried LDAP Usersync, but I can't get groupnames. Ranger UI only displaied the gid.

796-スクリーンショット-2015-12-14-141150.png

I had tried after setting ranger.usersync.group.searchenabled to true, but I could not get groupnames again.

The usersync.log showed the folloing logs:

INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: user1, groupList: []
INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: user2, groupList: []
・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・

INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user1, groups: []
ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user1, groups: []
INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user2, groups: []ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user2, groups: []

Settings of usersync was as follows :

ranger.usersync.source.impl.class = org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
ranger.usersync.ldap.user.searchscope = sub
ranger.usersync.ldap.user.searchfilter = (space)
ranger.usersync.ldap.user.searchbase = ou=account,dc=TEST
ranger.usersync.ldap.user.objectclass = user
ranger.usersync.group.memberattributename = member
ranger.usersync.group.nameattribute = cn
ranger.usersync.group.objectclass = group
ranger.usersync.group.searchbase = ou=group,dc=TEST
ranger.usersync.group.searchenabled = true
ranger.usersync.group.searchfilter = (space)
ranger.usersync.group.searchscope = (space)
ranger.usersync.ldap.searchBase = dc=TEST
ranger.usersync.ldap.user.groupnameattribute = gidNumber
ranger.usersync.ldap.user.nameattribute = uid

The user and group setting is as follows:

・User

dn: uid=user1,ou=user,dc=TEST
uid: user1
objectClass: user
uidNumber: 10
gidNumber: 50100
cn: user1

・Group

dn: cn=group1,ou=group,dc=TEST
cn: group1
objectClass: group
gidNumber: 50100
member: user1

Please let me know what I should check.

Version

HDP 2.3.0.0
Ranger 0.5.0.2.3

I have bad English, so I apologize if I say something strange.

Thanks.

7,246 Views
1 ACCEPTED SOLUTION

avatar
author-rank abajwa author-rank
Guru

Created ‎12-14-2015 06:39 AM

Please refer to the Ranger user sync doc...some of the properties may not have been set as recommended by the doc:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...

Can you try changing the below property:

ranger.usersync.ldap.user.groupnameattribute

..to the below value instead? Then restart Ranger components via Ambari (while tailing the same log file) and check Ranger UI again?

memberof, ismemberof

View solution in original post

6,069 Views
14 REPLIES 14

avatar
author-rank abajwa author-rank
Guru

Created ‎12-14-2015 06:39 AM

Please refer to the Ranger user sync doc...some of the properties may not have been set as recommended by the doc:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...

Can you try changing the below property:

ranger.usersync.ldap.user.groupnameattribute

..to the below value instead? Then restart Ranger components via Ambari (while tailing the same log file) and check Ranger UI again?

memberof, ismemberof
6,070 Views

avatar
author-rank joda
Rising Star

Created ‎12-14-2015 07:03 AM

Thank you for your reply and telling me the document.

I tried setting "memberof, ismemberof" to "ranger.usersync.ldap.user.groupnameattribute" and restarted Ranger.

However, I could not resolve this problem and the logs showed the same content.

I will make sure the settings again.

5,329 Views
0 Kudos

avatar
author-rank abajwa author-rank
Guru

Created ‎12-14-2015 07:14 AM

Just to confirm: the Ranger Usersync component was restarted? Also what LDAP are you using? (e.g. is it AD or IPA or OpenLDAP etc)

5,329 Views
0 Kudos

avatar
author-rank joda
Rising Star

Created ‎12-14-2015 08:06 AM

@Ali Bajwa

After restarting Ranger Usersync, I got the below logs.

LdapUserGroupBuilder initialization completed with -
ldapAuthenticationMechanism: simple,
searchBase: dc=TEST,
userSearchBase: ou=user,dc=TEST,
userSearchFilter: ,
extendedUserSearchFilter: (objectclass=user),
userNameAttribute: uid,
userSearchAttributes: [uid, memberof, ismemberof],
userGroupNameAttributeSet: [memberof, ismemberof],
groupSearchEnabled: true,
groupSearchBase: ou=group,dc=TEST,
groupSearchFilter: ,
extendedGroupSearchFilter: (&(objectclass=group)(member={0})),
extendedAllGroupsSearchFilter: (&(objectclass=group)),
groupMemberAttributeName: member,
groupNameAttribute: cn,

Using LDAP type is AD.

5,329 Views

avatar
author-rank abajwa author-rank
Guru

Created ‎12-14-2015 08:15 AM

Other than the doc link above, you can check these sample configs we used to get Ranger user sync working with AD on HDP 2.3

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-Kerberos-ActiveDirectory.MD#ranger...

5,329 Views
0 Kudos

avatar
author-rank joda
Rising Star

Created ‎12-14-2015 10:09 AM

Thank you for telling me the other document.

I had tried changing some settings, but I have not solubed yet.

5,329 Views

avatar
author-rank joda
Rising Star

Created ‎12-15-2015 05:40 AM

I tried looking up the source code for Ranger Usersync.

getUserGroups method in LdapUserGroupBuilder class.

groupSearchResultEnum = ldapContext.search(
				groupSearchBase,
				extendedGroupSearchFilter,
				new Object[]{userInfo.getUserFullName()},
				groupSearchControls);

userInfo.getUserFullName() returns "uid=user1,ou=user,dc=TEST".

I suspect this is too long and userInfo.getUserName() method is more appropriate.

5,329 Views

avatar
author-rank abajwa author-rank
Guru

Created ‎12-15-2015 06:19 AM

+ @sneethiraj to comment.

In our usage, ranger user sync with AD has worked fine with the above configuration

5,329 Views

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎12-15-2015 04:31 PM

Hi @Junichi Oda,

In most of the deployments in general, the group's member attribute contains the distinguished name (or dn which is the full name) of the user (as mentioned in the Microsoft documentation https://msdn.microsoft.com/en-us/library/windows/d....

Hence we specifically used the full name of the user in the group search filter. But looks like in your case, the member attribute doesn't contain the dn of the user.

Just curious, how come there is no "memberof" attribute for the user? In most of the AD deployments, "memberof" attribute of user and "member" attribute of group are two way links and AD automatically updates the other if one is modified. Which version of AD are you using?

May be we can make this a configurable parameter?

5,329 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements