Support Questions

joda · ‎12-14-2015

I'm trying to sync users and groups from LDAP into Ranger using Ranger Usersync.

How do I associate the groupname in the group info and the gid in the user and the group info?

In my LDAP server, the user info has the gid, but does not have the groupname.

I tried LDAP Usersync, but I can't get groupnames. Ranger UI only displaied the gid.

I had tried after setting ranger.usersync.group.searchenabled to true, but I could not get groupnames again.

The usersync.log showed the folloing logs:

INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: user1, groupList: []
INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: user2, groupList: []
・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・

INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user1, groups: []
ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user1, groups: []
INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user2, groups: []ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user2, groups: []

Settings of usersync was as follows :

ranger.usersync.source.impl.class = org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
ranger.usersync.ldap.user.searchscope = sub
ranger.usersync.ldap.user.searchfilter = (space)
ranger.usersync.ldap.user.searchbase = ou=account,dc=TEST
ranger.usersync.ldap.user.objectclass = user
ranger.usersync.group.memberattributename = member
ranger.usersync.group.nameattribute = cn
ranger.usersync.group.objectclass = group
ranger.usersync.group.searchbase = ou=group,dc=TEST
ranger.usersync.group.searchenabled = true
ranger.usersync.group.searchfilter = (space)
ranger.usersync.group.searchscope = (space)
ranger.usersync.ldap.searchBase = dc=TEST
ranger.usersync.ldap.user.groupnameattribute = gidNumber
ranger.usersync.ldap.user.nameattribute = uid

The user and group setting is as follows:

・User

dn: uid=user1,ou=user,dc=TEST
uid: user1
objectClass: user
uidNumber: 10
gidNumber: 50100
cn: user1

・Group

dn: cn=group1,ou=group,dc=TEST
cn: group1
objectClass: group
gidNumber: 50100
member: user1

Please let me know what I should check.

Version

HDP 2.3.0.0
Ranger 0.5.0.2.3

I have bad English, so I apologize if I say something strange.

Thanks.

abajwa · ‎12-14-2015

Please refer to the Ranger user sync doc...some of the properties may not have been set as recommended by the doc:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...

Can you try changing the below property:

ranger.usersync.ldap.user.groupnameattribute

..to the below value instead? Then restart Ranger components via Ambari (while tailing the same log file) and check Ranger UI again?

memberof, ismemberof

View solution in original post

joda · ‎12-16-2015

Thank you for telling me the url to the Microsoft documentation, but I couldn't find this page.

I would like to tell you more information, but I don't know why our AD is like this. So sorry.

aervits · ‎02-02-2016

@Junichi Oda has this been resolved? Please accept best answer or provide your own solution.

joda · ‎02-04-2016

@Artem Ervits

So Sorry for replying late.

I understood that our environment was unusual. I'm about to write the small script.

This script will get users and groups list from our LDAP server and make available for the Ranger to read.

The Ranger will synchronize users and groups list to the formated list.

sushil61 · ‎02-27-2016

@Junichi Oda @Ali Bajwa @spolavarap

Did you got the solution?. I am struggling a lot and not able to search users within group. Here are my settings. Only groups getting fetched but no user. If I remove User Search Filter, I am able to fetch all users including users from other groups.

Username Attribute = uid

User Object Class = inetOrgPerson

User Search Base = zz.com

User Search Filter = (memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)

User Search Scope = sub

User Group Name Attribute = memberof,ismemberof

Group Member Attribute = member

Group Name Attribute = cn

Group Object Class = groupOfNames

Group Search Base = zz.com

Group Search Filter = (|(cn=edl*)(cn=TEAM_EDL_Dev)

MrBee · ‎07-27-2016

Hi @Junichi Oda,

We have the same error in the Ranger log, even when the groupnames are filled:

ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: userX, groups: [groupX, groupY]

I have inspected the sourcecode from ranger-0.6 which is part of HDP-2.4.3.0 our current version of the stack.

Interesting enough all calls to remote server inside LdapUserGroupBuilder.addOrUpdateUser(user, groups) are wrapped in a try-catch(Exception e). There is addUser, addUserGroupInfo and delXUserGroupInfo. But we don't see that in the log. The addOrUpdateUser is wrapped with try-catch(Throwable t). Looks like its an Error not an Exception!

I found this RANGER-804 ticket revering to missing classes. I copied the jars in '/usr/hdp/current/ranger-usersync/lib' from another folder. The code runs but I have a Certificate PKI error at the moment because we use LDAPS, but looks like this might get you further.

Greetings, Alexander

Cloudera Community

Support Questions

How does the gid associate the groupname in the group info in Ranger Usersync with LDAP?