Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Issue : Ranger incremental sync with ldap do not sync users

Issue : Ranger incremental sync with ldap do not sync users

Expert Contributor

Hi,

I am using Hortonworks Data Cloud on AWS. I have created cluster with one master node and two worker nodes.

On master node I have configured openLDAP Server and on workers openLDAP clients.

Initially I have created two users (aaa,bbb) and one groups (ldapusers). Both the users are member of ldapusers group.

When First time I have configured Ranger in Ambari for ldap as user source it performed full sync. Following was the configuration:

Common Configs:

Enable User Sync=true 

LDAP/AD URL = ldap://ip-0-0-0-0.ec2.internal:389 
Bind User = cn=Manager,dc=hadoop,dc=com 
Bind User Password = ••••••• 
Incremental Sync = true

User Configs:

Username Attribute = uid
User Object Class = inetOrgPerson
User Search Base = dc=hadoop,dc=com
User Search Filter (blank)
User Search Scope = sub
User Group Name Attribute = memberof, ismemberof
Group User Map Sync = true
Enable User Search = true

Group Config:

Enable Group Sync = true
Group Member Attribute = gidNumber
Group Name Attribute = cn
Group Object Class = posixGroup
Group Search Base = dc=hadoop,dc=com
Group Search Filter = cn=*
Enable Group Search First = true

With the above configuration it synced only users from openLDAP Server.

when I changed the Group Configs as below it synced groups also.

Group Config:

Enable Group Sync = true
Group Member Attribute = gidNumber
Group Name Attribute = cn
Group Object Class = posixGroup
Group Search Base = dc=hadoop,dc=com
Group Search Filter = (|(cn=ldapusers))
Enable Group Search First = true

Now, I am creating one more user (ccc) and group (developer) in openLDAP Server. User ccc is member of group deveoper.

when this user and group syncs with Ranger it performs incremental sync. For that I have given following configuraion for groups configs and user configs:

User Configs:

Username Attribute = uid
User Object Class = inetOrgPerson
User Search Base = dc=hadoop,dc=com
User Search Filter = (|(memberof=cn=ldapusers,ou=groups,dc=hadoop,dc=com)(memberof=cn=deveoper,ou=groups,dc=hadoop,dc=com))
User Search Scope = sub
User Group Name Attribute = memberof, ismemberof
Group User Map Sync = true
Enable User Search = true

I have created users under ou=users and groups under ou=groups.

Group Config:

Enable Group Sync = true
Group Member Attribute = gidNumber
Group Name Attribute = cn
Group Object Class = posixGroup
Group Search Base = dc=hadoop,dc=com
Group Search Filter = (|(cn=ldapusers)(cn=developer))
Enable Group Search First true

With this configuration it only sync the groups in incremental sync, I can not see the user in Ranger UI.

I tried with User search Filter value as blank in User Configs but it didn't work.

I need fix value for User search filter and Group Search Filter, which can work in both full sync as well as incremental sync.

Can anyone help me to solve this issue ?

Thank You.

Don't have an account?
Coming from Hortonworks? Activate your account here