Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

How to sync users and groups from both LDAP and Unix with Ranger?

Labels:
SametKaradag
Explorer

Created ‎03-07-2017 02:50 PM

There are some local unix users which don't exist in AD. How can I sync these users also with Ranger, so that in the end users from both AD and Unix will exist on the ranger?

2,207 Views
2 REPLIES 2

spolavarapu
Expert Contributor

Created ‎03-07-2017 07:22 PM

@Samet Karadag,

Ranger doesn't support syncing from two different sources simultaneously. But there is a workaround to have users from two different sources in Ranger.

Since Ranger doesn't automatically delete the users that are sync'd, first sync users from Unix as usual. Once that is done, change the ranger config to sync from LDAP and restart Ranger. Then the users from AD are sync'd to Ranger. At this point you can see users in Ranger from both Unix and LDAP.

Few things to note down here:

1. Ranger gets updates only from the latest sync source that is configure. In the above workaround scenario, ranger gets updates only from LDAP. Any new users added in Unix afterwards will not be sync'd until the sync source configuration is set back to Unix and restart ranger.

2. If same user/group exists in two different sources, then the latest sync source user/group is taken into effect. One of the example can be:

Say user "bob" exists in Unix and is part of unix groups like "grp1" and "grp2"

User "bob" also exists in AD/LDAP and is member of groups "ad_grp1".

In this scenario, if ranger is configured to sync from Unix first and then LDAP/AD, then the effective user "bob" will only have "ad_grp1" as the groups.

In this case "grp1" and "grp2" will still be shown under "Groups" tab in Ranger.

Hope this helps!

1,315 Views

Shelton
Mentor

Created ‎04-18-2017 03:29 PM

@spolavarapu

I have a similar situation, can you confirm to me that I can switch from LDAP to UNIX and any given time?. I have great worries as I have a Dev cum Production cluster that I have only synced 4 users from the LDAP as requested but I have failed to sync the user group in question.

Now I would like nevertheless proceed and sync users in Ranger but I read a note about taking extra care because once the LDAP users are synced on can longer logon using admin/admin ?

Can you validate that !

1,314 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
What's New @ Cloudera
Cloudera Machine Learning launches "Add Data" feature to simplify data ingestion
What's New @ Cloudera
Simplify Data Access with Custom Connection Support in CML
View More Announcements