Thank you for telling me the url to the Microsoft documentation, but I couldn't find this page.
I would like to tell you more information, but I don't know why our AD is like this. So sorry.
So Sorry for replying late.
I understood that our environment was unusual. I'm about to write the small script.
This script will get users and groups list from our LDAP server and make available for the Ranger to read.
The Ranger will synchronize users and groups list to the formated list.
Did you got the solution?. I am struggling a lot and not able to search users within group. Here are my settings. Only groups getting fetched but no user. If I remove User Search Filter, I am able to fetch all users including users from other groups.
Username Attribute = uid
User Object Class = inetOrgPerson
User Search Base = zz.com
User Search Filter = (memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)
User Search Scope = sub
User Group Name Attribute = memberof,ismemberof
Group Member Attribute = member
Group Name Attribute = cn
Group Object Class = groupOfNames
Group Search Base = zz.com
Group Search Filter = (|(cn=edl*)(cn=TEAM_EDL_Dev)
Hi @Junichi Oda,
We have the same error in the Ranger log, even when the groupnames are filled:
ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: userX, groups: [groupX, groupY]
I have inspected the sourcecode from ranger-0.6 which is part of HDP-126.96.36.199 our current version of the stack.
Interesting enough all calls to remote server inside LdapUserGroupBuilder.addOrUpdateUser(user, groups) are wrapped in a try-catch(Exception e). There is addUser, addUserGroupInfo and delXUserGroupInfo. But we don't see that in the log. The addOrUpdateUser is wrapped with try-catch(Throwable t). Looks like its an Error not an Exception!
I found this RANGER-804 ticket revering to missing classes. I copied the jars in '/usr/hdp/current/ranger-usersync/lib' from another folder. The code runs but I have a Certificate PKI error at the moment because we use LDAPS, but looks like this might get you further.