Support Questions
Find answers, ask questions, and share your expertise

How does the gid associate the groupname in the group info in Ranger Usersync with LDAP?

Explorer

I'm trying to sync users and groups from LDAP into Ranger using Ranger Usersync.

How do I associate the groupname in the group info and the gid in the user and the group info?

In my LDAP server, the user info has the gid, but does not have the groupname.

I tried LDAP Usersync, but I can't get groupnames. Ranger UI only displaied the gid.

796-スクリーンショット-2015-12-14-141150.png

I had tried after setting ranger.usersync.group.searchenabled to true, but I could not get groupnames again.

The usersync.log showed the folloing logs:

INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: user1, groupList: []
INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: user2, groupList: []
・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・

INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user1, groups: []
ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user1, groups: []
INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user2, groups: []ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user2, groups: []

Settings of usersync was as follows :

ranger.usersync.source.impl.class = org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
ranger.usersync.ldap.user.searchscope = sub
ranger.usersync.ldap.user.searchfilter = (space)
ranger.usersync.ldap.user.searchbase = ou=account,dc=TEST
ranger.usersync.ldap.user.objectclass = user
ranger.usersync.group.memberattributename = member
ranger.usersync.group.nameattribute = cn
ranger.usersync.group.objectclass = group
ranger.usersync.group.searchbase = ou=group,dc=TEST
ranger.usersync.group.searchenabled = true
ranger.usersync.group.searchfilter = (space)
ranger.usersync.group.searchscope = (space)
ranger.usersync.ldap.searchBase = dc=TEST
ranger.usersync.ldap.user.groupnameattribute = gidNumber
ranger.usersync.ldap.user.nameattribute = uid

The user and group setting is as follows:

・User

dn: uid=user1,ou=user,dc=TEST
uid: user1
objectClass: user
uidNumber: 10
gidNumber: 50100
cn: user1

・Group

dn: cn=group1,ou=group,dc=TEST
cn: group1
objectClass: group
gidNumber: 50100
member: user1

Please let me know what I should check.

Version

HDP 2.3.0.0
Ranger 0.5.0.2.3

I have bad English, so I apologize if I say something strange.

Thanks.

1 ACCEPTED SOLUTION

Please refer to the Ranger user sync doc...some of the properties may not have been set as recommended by the doc:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...

Can you try changing the below property:

ranger.usersync.ldap.user.groupnameattribute

..to the below value instead? Then restart Ranger components via Ambari (while tailing the same log file) and check Ranger UI again?

memberof, ismemberof

View solution in original post

14 REPLIES 14

Please refer to the Ranger user sync doc...some of the properties may not have been set as recommended by the doc:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...

Can you try changing the below property:

ranger.usersync.ldap.user.groupnameattribute

..to the below value instead? Then restart Ranger components via Ambari (while tailing the same log file) and check Ranger UI again?

memberof, ismemberof

Explorer

Thank you for your reply and telling me the document.

I tried setting "memberof, ismemberof" to "ranger.usersync.ldap.user.groupnameattribute" and restarted Ranger.

However, I could not resolve this problem and the logs showed the same content.

I will make sure the settings again.

Just to confirm: the Ranger Usersync component was restarted? Also what LDAP are you using? (e.g. is it AD or IPA or OpenLDAP etc)

Explorer

@Ali Bajwa

After restarting Ranger Usersync, I got the below logs.

LdapUserGroupBuilder initialization completed with -
ldapAuthenticationMechanism: simple,
searchBase: dc=TEST,
userSearchBase: ou=user,dc=TEST,
userSearchFilter: ,
extendedUserSearchFilter: (objectclass=user),
userNameAttribute: uid,
userSearchAttributes: [uid, memberof, ismemberof],
userGroupNameAttributeSet: [memberof, ismemberof],
groupSearchEnabled: true,
groupSearchBase: ou=group,dc=TEST,
groupSearchFilter: ,
extendedGroupSearchFilter: (&(objectclass=group)(member={0})),
extendedAllGroupsSearchFilter: (&(objectclass=group)),
groupMemberAttributeName: member,
groupNameAttribute: cn, 

Using LDAP type is AD.

Other than the doc link above, you can check these sample configs we used to get Ranger user sync working with AD on HDP 2.3

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-Kerberos-ActiveDirectory.MD#ranger...

Explorer

Thank you for telling me the other document.

I had tried changing some settings, but I have not solubed yet.

Explorer

I tried looking up the source code for Ranger Usersync.

getUserGroups method in LdapUserGroupBuilder class.

groupSearchResultEnum = ldapContext.search(
				groupSearchBase,
				extendedGroupSearchFilter,
				new Object[]{userInfo.getUserFullName()},
				groupSearchControls);

userInfo.getUserFullName() returns "uid=user1,ou=user,dc=TEST".

I suspect this is too long and userInfo.getUserName() method is more appropriate.

+ @sneethiraj to comment.

In our usage, ranger user sync with AD has worked fine with the above configuration

Expert Contributor

Hi @Junichi Oda,

In most of the deployments in general, the group's member attribute contains the distinguished name (or dn which is the full name) of the user (as mentioned in the Microsoft documentation https://msdn.microsoft.com/en-us/library/windows/d....

Hence we specifically used the full name of the user in the group search filter. But looks like in your case, the member attribute doesn't contain the dn of the user.

Just curious, how come there is no "memberof" attribute for the user? In most of the AD deployments, "memberof" attribute of user and "member" attribute of group are two way links and AD automatically updates the other if one is modified. Which version of AD are you using?

May be we can make this a configurable parameter?

Explorer

Thank you for telling me the url to the Microsoft documentation, but I couldn't find this page.

852-スクリーンショット-2015-12-16-102348.png

I would like to tell you more information, but I don't know why our AD is like this. So sorry.

Mentor

@Junichi Oda has this been resolved? Please accept best answer or provide your own solution.

Explorer

@Artem Ervits

So Sorry for replying late.

I understood that our environment was unusual. I'm about to write the small script.

This script will get users and groups list from our LDAP server and make available for the Ranger to read.

The Ranger will synchronize users and groups list to the formated list.

Contributor

@Junichi Oda @Ali Bajwa @spolavarap

Did you got the solution?. I am struggling a lot and not able to search users within group. Here are my settings. Only groups getting fetched but no user. If I remove User Search Filter, I am able to fetch all users including users from other groups.

Username Attribute = uid

User Object Class = inetOrgPerson

User Search Base = zz.com

User Search Filter = (memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)

User Search Scope = sub

User Group Name Attribute = memberof,ismemberof

Group Member Attribute = member

Group Name Attribute = cn

Group Object Class = groupOfNames

Group Search Base = zz.com

Group Search Filter = (|(cn=edl*)(cn=TEAM_EDL_Dev)

Contributor

Hi @Junichi Oda,

We have the same error in the Ranger log, even when the groupnames are filled:

ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: userX, groups: [groupX, groupY]

I have inspected the sourcecode from ranger-0.6 which is part of HDP-2.4.3.0 our current version of the stack.

Interesting enough all calls to remote server inside LdapUserGroupBuilder.addOrUpdateUser(user, groups) are wrapped in a try-catch(Exception e). There is addUser, addUserGroupInfo and delXUserGroupInfo. But we don't see that in the log. The addOrUpdateUser is wrapped with try-catch(Throwable t). Looks like its an Error not an Exception!

I found this RANGER-804 ticket revering to missing classes. I copied the jars in '/usr/hdp/current/ranger-usersync/lib' from another folder. The code runs but I have a Certificate PKI error at the moment because we use LDAPS, but looks like this might get you further.

Greetings, Alexander

; ;