Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

How to sync users and groups from both LDAP and Unix with Ranger?

There are some local unix users which don't exist in AD. How can I sync these users also with Ranger, so that in the end users from both AD and Unix will exist on the ranger?


Expert Contributor

@Samet Karadag,

Ranger doesn't support syncing from two different sources simultaneously. But there is a workaround to have users from two different sources in Ranger.

Since Ranger doesn't automatically delete the users that are sync'd, first sync users from Unix as usual. Once that is done, change the ranger config to sync from LDAP and restart Ranger. Then the users from AD are sync'd to Ranger. At this point you can see users in Ranger from both Unix and LDAP.

Few things to note down here:

1. Ranger gets updates only from the latest sync source that is configure. In the above workaround scenario, ranger gets updates only from LDAP. Any new users added in Unix afterwards will not be sync'd until the sync source configuration is set back to Unix and restart ranger.

2. If same user/group exists in two different sources, then the latest sync source user/group is taken into effect. One of the example can be:

Say user "bob" exists in Unix and is part of unix groups like "grp1" and "grp2"

User "bob" also exists in AD/LDAP and is member of groups "ad_grp1".

In this scenario, if ranger is configured to sync from Unix first and then LDAP/AD, then the effective user "bob" will only have "ad_grp1" as the groups.

In this case "grp1" and "grp2" will still be shown under "Groups" tab in Ranger.

Hope this helps!



I have a similar situation, can you confirm to me that I can switch from LDAP to UNIX and any given time?. I have great worries as I have a Dev cum Production cluster that I have only synced 4 users from the LDAP as requested but I have failed to sync the user group in question.

Now I would like nevertheless proceed and sync users in Ranger but I read a note about taking extra care because once the LDAP users are synced on can longer logon using admin/admin ?

Can you validate that !

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.