Support Questions

Find answers, ask questions, and share your expertise

Not able to see groups in in apache ranger from one ldap

avatar
Contributor

I have hdp 2.3.2 and ranger 0.5 and openldap . I am intgrating ldap and ranger . I have configured ranger and able to see the users in users tab but my groups are not visible in the RangerUI . Below in the LDIF from open ldap.

Sample LDIF
# bigdatdomain.com
dn: dc=bigdatdomain,dc=com
objectClass: organization
objectClass: dcObject
o: Hadoop
dc: bigdatdomain
# users, bigdatdomain.com
dn: ou=users,dc=bigdatdomain,dc=com
objectClass: organizationalUnit
ou: users
# student1, users, bigdatdomain.com
dn: uid=student1,ou=users,dc=bigdatdomain,dc=com
uid: student1
cn: student1
sn: 1
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student1
uidNumber: 15000
gidNumber: 10000
userPassword:: e1NTSEF9Q1FHNUtIYzZiMWlpK3FvcGFWQ3NOYTE0djkrcjE0cjU=
mail: student1@bigdatdomain.com
gecos: Student1 User
# student2, users, bigdatdomain.com
dn: uid=student2,ou=users,dc=bigdatdomain,dc=com
uid: student2
cn: student2
sn: 2
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/student2
uidNumber: 15001
gidNumber: 10000
userPassword:: e1NTSEF9Q1FHNUtIYzZiMWlpK3FvcGFWQ3NOYTE0djkrcjE0cjU=
mail: student2@bigdatdomain.com
gecos: Student2 User
# groups, bigdatdomain.com
dn: ou=groups,dc=bigdatdomain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
description: stc groups
# itpeople, groups, bigdatdomain.com
dn: cn=itpeople,ou=groups,dc=bigdatdomain,dc=com
objectClass: groupOfNames
member: uid=student2,ou=users,dc=bigdatdomain,dc=com
member: uid=student1,ou=users,dc=bigdatdomain,dc=com
cn: itpeople
description: IT security group

Usersync log :-

20 Feb 2017 00:00:55  INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with --  ldapUrl: ldap://xyz:389,  ldapBindDn: cn=Manager,dc=bigdatdomain,dc=com,  ldapBindPassword: ***** ,  ldapAuthenticationMechanism: simple,  searchBase: dc=bigdatdomain,dc=com,  userSearchBase: ou=users,dc=bigdatdomain,dc=com,  userSearchScope: 2,  userObjectClass: person,  userSearchFilter: uid=*,  extendedUserSearchFilter: (&(objectclass=person)(uid=*)),  userNameAttribute: uid,  userSearchAttributes: [uid, ismemberof, memberof],  userGroupNameAttributeSet: [ismemberof, memberof],  pagedResultsEnabled: true,  pagedResultsSize: 500,  groupSearchEnabled: false,  groupSearchBase: dc=bigdatdomain,dc=com,  groupSearchScope: 2,  groupObjectClass: groupofnames,  groupSearchFilter: ,  extendedGroupSearchFilter: (&(objectclass=groupofnames)(member={0})),  extendedAllGroupsSearchFilter: (&(objectclass=groupofnames)),  groupMemberAttributeName: member,  groupNameAttribute: cn,  groupUserMapSyncEnabled: false,  ldapReferral: ignore

Can some point that if there is any error in my ranger conf??

1 ACCEPTED SOLUTION

avatar
Expert Contributor

Hi @Anwaar Siddiqui,

I see that the userObjectClass is set to "person" in ranger config but the ldif shows the object class configured for the user are:

  1. objectClass: top
  2. objectClass: posixAccount
  3. objectClass: inetOrgPerson

Please change the userObjectClass in ranger config to "posixAccount" instead.

Also I see that groupUserMapSyncEnabled is set to "false" and "groupSearchEnabled" is also set to "false". With this configuration, ranger gets group names from "memberof" attribute of the users. But from the above ldif, memberof attribute is not available for the user and hence no groups are synced. Please set "groupUserMapSyncEnabled" and "groupSearchEnabled" to true so that group memberships are computed from the group search and member attribute of the group.

Thanks,

Sailaja.

View solution in original post

8 REPLIES 8

avatar
Guru

Hello @Anwaar Siddiqui,

I believe there is problem with the group sync setting in the Ranger configuration. To confirm that, we need to see if the LDAP query for group using these parameters are working or not. Can you please run this query and share the output with us?

ldapsearch -x -H ldap://xyz:389 -D "cn=Manager,dc=bigdatdomain,dc=com" -W -b "dc=bigdatdomain,dc=com" "(&(objectclass=groupofnames)(cn=*))"

Hope this helps !

avatar
Contributor

@Vipin Rathor..the above search was fine...i believe in HDP 2.3.2 groupsync filters was false by default..which was the issue..

avatar
Expert Contributor

Hi @Anwaar Siddiqui,

I see that the userObjectClass is set to "person" in ranger config but the ldif shows the object class configured for the user are:

  1. objectClass: top
  2. objectClass: posixAccount
  3. objectClass: inetOrgPerson

Please change the userObjectClass in ranger config to "posixAccount" instead.

Also I see that groupUserMapSyncEnabled is set to "false" and "groupSearchEnabled" is also set to "false". With this configuration, ranger gets group names from "memberof" attribute of the users. But from the above ldif, memberof attribute is not available for the user and hence no groups are synced. Please set "groupUserMapSyncEnabled" and "groupSearchEnabled" to true so that group memberships are computed from the group search and member attribute of the group.

Thanks,

Sailaja.

avatar
Contributor

@spolavarapu Thanks ..when i enabled filters from false to true..it picked the groups, but all of them are internal..also i have downloaded 2.5 sandbox , i was able to get the groups as these filters were already enabled there but there i am not able to login using the passwords in HDP 2.5 . It says invalid username/password .Can you give quick pointers to check for that..

avatar
Expert Contributor

@Anwaar Siddiqui,

Is it the ranger admin ui login that is failing? If so, can you check "authentication method" configured for ranger under Advanced tab in ambari. It should be set to "LDAP" and corresponding "LDAP Settings" should be configured.

avatar
Contributor

@spolavarapu..I did lit bit googling an fixed it..but in ranger while creating policy i have selected one LDAP group ..so idealy only the users of these group should come in 'Select User' tab..but i can see all users there..

12834-testt.jpg

avatar
Expert Contributor
@Anwaar Siddiqui

That is true. We want to show all the users so that admin has flexibility to grant permissions for users that don't belong to the selected group. Also, if the group has permissions, then it is implied that the users in that group has same permissions. Hence showing the users only from that group is not very useful.

avatar
Contributor

I had same problem "ranger can sync users with ldap but can't login to ranger UI with ldap password." Finally I could solved this problem, so, let me share lessons learned and how I solved to help you guys who has same problem as I faced.

lessons learned

1. We have to configure ranger admin to speak ldaps protocol if we want to use ldaps for user authentication.

paramaters in ranger-admin-site: ranger.truststore.file, ranger.truststore.password
I had to import self-signed CA from LDAP team to "/etc/ranger/admin/conf/ranger-admin-keystore.jks".
Set password which I specified for this import to "ranger.truststore.password".
Command example: keytool -importcert -alias rangeradmin -noprompt -trustcacerts -file ./ca.crt -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -storepass xasecure
ref: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_security/content/configure_non_ambari_ra...

2. setting syncing user info with ldap and setting to use ldap for authentication are technically different.

For example, we can use ldap authentication for ranger UI login even when we disable "Enable User Sync". In other words, we can use ldap authentication when "Ranger Usersync" service is not running.

3. debug logs from "org.springframework" and "org.apache.ranger" were very useful for the trouble shooting.

We can change the log level with "admin-log4j.xml".
log4j.category.org.springframework=debug,xa_log_appender
log4j.category.org.apache.ranger=debug,xa_log_appender

4. Here are the key configurations for ldap authentication (not for user sync with ldap.)

Authentication method: LDAP
LDAP URL: ldaps://xxxxxx
User Search Filter: (uid={0})
Group Search Filter: (member=uid={0},ou=xxxxx,o=xxxxx)
ranger.ldap.user.dnpattern: uid={0},ou=xxxxx,o=xxxxx
ranger.truststore.file: /etc/ranger/admin/conf/ranger-admin-keystore.jks <= in case with ldaps.
ranger.truststore.password: xasecure <= in case with ldaps. this is the passwoed you set when you import ca to jks.

I hope, this memo help guys who have same problem as I faced 🙂