Support Questions

Find answers, ask questions, and share your expertise

Ranger + AD: sync users from groups question

avatar
Rising Star

Hi, all!

Environment:

RHEL 7.2 + Winbind

HDP 2.5

Ranger 0.6.0.2.5

AD: Windows 2008 R2 Server

User sync and group sync configured.

QUESTION:

I have some groups in AD with users inside. User in group pointed as member=CN=FirstName LastName, DN=EXAMPLE, DN=COM

Exactly the same FirstName LastName synced inside Ranger while usersync working. However Ranger use sAMAccountName in policy and sAMAccountName came from Kerberos.

Is it possible to sync user from groups with sAMAccountName instead of CN?

1 ACCEPTED SOLUTION

avatar
Expert Contributor
@Nikita Kiselev

Just now I posted an article related to this topic. I tried to explain with some examples. Please check it out.

https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm...

View solution in original post

8 REPLIES 8

avatar
@Nikita Kiselev

Yes, we can. We need to make appropriate filters and search parameters. You can follow the below link and your AD team would be able to help you.

https://cwiki.apache.org/confluence/display/RANGER/LDAP+Connection+Check+Tool

avatar
Contributor

@Nikita Kiselev Yes it is possible to sync the sAMAccountName for the user from AD/LDAP. In Ranger configuration you have to make sure that the value for ranger.usersync.ldap.user.nameattribute is looking for sAMAccountName instead of CN.

If it works do up vote the answer.

avatar
Expert Contributor

@Nikita Kiselev

To add on to the above replies, if you want to sync users from some groups, I would suggest you to do the following:

1. "Enable Group Sync" - Set to "true"

2. Configure all the properties related to Group Config based on the OU and group name that you want to filter.

3. "Enable Group First Search" - Set to "true"

4. Go to "User Configs" tab and "Enable User Search" - Set to "true"

5. Configure all the properties related to User Config with "sAMAccountName" as the value for "UserName attribute"

For more details please refer to the below apache jira and the document attached in the jira:

https://issues.apache.org/jira/browse/RANGER-869

avatar
Rising Star

Thanks, all!

I have all settings in place but was not sure that it is correct. Only thing that prevent from correct sync was User Filter where I restrict only exact user list and new users for groups can't be synced into Ranger because of filter

avatar
Expert Contributor

@Nikita Kiselev,

Can you share your configuration before setting the User Filter with exact user list?

avatar
Rising Star

@spolavarapu

Filter on user was there for ages. And a short time ago sync user from groups task appears and looks like the filter prevent user from sync

avatar
Expert Contributor
@Nikita Kiselev

Just now I posted an article related to this topic. I tried to explain with some examples. Please check it out.

https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm...

avatar
Rising Star

@spolavarapu thank! It is exactly my case