Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger + AD: sync users from groups question

avatar
author-rank nord_tramper
Rising Star

Created on ‎05-26-2017 08:13 AM - edited ‎09-16-2022 04:39 AM

Hi, all!

Environment:

RHEL 7.2 + Winbind

HDP 2.5

Ranger 0.6.0.2.5

AD: Windows 2008 R2 Server

User sync and group sync configured.

QUESTION:

I have some groups in AD with users inside. User in group pointed as member=CN=FirstName LastName, DN=EXAMPLE, DN=COM

Exactly the same FirstName LastName synced inside Ranger while usersync working. However Ranger use sAMAccountName in policy and sAMAccountName came from Kerberos.

Is it possible to sync user from groups with sAMAccountName instead of CN?

5,308 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎05-31-2017 06:36 PM

@Nikita Kiselev

Just now I posted an article related to this topic. I tried to explain with some examples. Please check it out.

https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm...

View solution in original post

4,334 Views
8 REPLIES 8

avatar
author-rank bandarusridhar1
Guru

Created ‎05-26-2017 02:19 PM

@Nikita Kiselev

Yes, we can. We need to make appropriate filters and search parameters. You can follow the below link and your AD team would be able to help you.

https://cwiki.apache.org/confluence/display/RANGER/LDAP+Connection+Check+Tool

4,334 Views
0 Kudos

avatar
author-rank gbrahmi
Contributor

Created ‎05-26-2017 04:53 PM

@Nikita Kiselev Yes it is possible to sync the sAMAccountName for the user from AD/LDAP. In Ranger configuration you have to make sure that the value for ranger.usersync.ldap.user.nameattribute is looking for sAMAccountName instead of CN.

If it works do up vote the answer.

4,334 Views
0 Kudos

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎05-26-2017 06:27 PM

@Nikita Kiselev

To add on to the above replies, if you want to sync users from some groups, I would suggest you to do the following:

1. "Enable Group Sync" - Set to "true"

2. Configure all the properties related to Group Config based on the OU and group name that you want to filter.

3. "Enable Group First Search" - Set to "true"

4. Go to "User Configs" tab and "Enable User Search" - Set to "true"

5. Configure all the properties related to User Config with "sAMAccountName" as the value for "UserName attribute"

For more details please refer to the below apache jira and the document attached in the jira:

https://issues.apache.org/jira/browse/RANGER-869

4,334 Views

avatar
author-rank nord_tramper
Rising Star

Created ‎05-29-2017 08:54 AM

Thanks, all!

I have all settings in place but was not sure that it is correct. Only thing that prevent from correct sync was User Filter where I restrict only exact user list and new users for groups can't be synced into Ranger because of filter

4,334 Views
0 Kudos

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎05-30-2017 04:45 PM

@Nikita Kiselev,

Can you share your configuration before setting the User Filter with exact user list?

4,334 Views
0 Kudos

avatar
author-rank nord_tramper
Rising Star

Created ‎05-31-2017 08:54 AM

@spolavarapu

Filter on user was there for ages. And a short time ago sync user from groups task appears and looks like the filter prevent user from sync

4,334 Views
0 Kudos

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎05-31-2017 06:36 PM

@Nikita Kiselev

Just now I posted an article related to this topic. I tried to explain with some examples. Please check it out.

https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm...

4,335 Views

avatar
author-rank nord_tramper
Rising Star

Created ‎06-01-2017 07:59 AM

@spolavarapu thank! It is exactly my case

4,334 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements