Support Questions

Find answers, ask questions, and share your expertise

Ranger AD usersync : ERROR UserGroupSync [UnixUserSyncThread] Connection refused

avatar
Rising Star

Hi, I am trying to do Ranger AD usersync (HDP version: 2.4.3 and Ambari version: 2.2.2.0) . When I try to do it manually from Ambari UI or pass the configuration through the blueprint, I get following error:

ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details: com.sun.jersey.api.client.ClientHandlerException: java.net.ConnectException: Connection refused (Connection refused)

Not sure, where the problem is. Ping and telnet to the AD server is also successful.

Also, LDAP cert was loaded into a trustStore using following command:

keytool -import -trustcacerts -alias myldap1 -file mycertfile.pem -keystore /etc/pki/java/cacerts

Any solution please?

Attaching usersync.log file.usersync.txt

1 ACCEPTED SOLUTION

avatar
Expert Contributor

@Pooja Kamle

From the posted usersync logs, it looks like the communication between ranger admin and ranger usersync is failing. Do you have https enabled for ranger admin? If so, please add the ranger admin cert to usersync trust store.

Usersync contacts ranger admin (database) to update the users and groups that are sync'd from AD.

View solution in original post

5 REPLIES 5

avatar

can you please post the configuration that you gave in ranger usersync config ?

did you specify ldap/ldaps protocol and correct port while configuring usersync

avatar
Rising Star

@Deepak Sharma Thanks for your reply. Following are my usersync configs:

Sync Source: LDAP/AD

LDAP/AD URL: ldaps://<server>:636

Authentication method: ACTIVE_DIRECTORY

Username Attribute: cn

User Object Class: user

User Search Filter: cn=*

User Search Scope: sub

User Group Name Attribute: memberof

Group Member Attribute: member

Group Name Attribute: cn

Group Object Class: group

Group Search Filter: cn=*

Also, these configs worked with a different Ranger that I had configured before wit the same LDAP cert file. But now I don't understand what the issue is.

avatar

Hi @Pooja Kamle

Can you check and post the permissions on these two files:

/usr/hdp/current/ranger-usersync/conf/ugsync.jceks
/usr/hdp/current/ranger-usersync/conf/.ugsync.jceks.crc

Also check the permissions of these two files on the other ranger that is working and verify if they are the same.

avatar
Expert Contributor

@Pooja Kamle

From the posted usersync logs, it looks like the communication between ranger admin and ranger usersync is failing. Do you have https enabled for ranger admin? If so, please add the ranger admin cert to usersync trust store.

Usersync contacts ranger admin (database) to update the users and groups that are sync'd from AD.

avatar
Rising Star

I found the issue. My Ranger admin and ranger database reside on different nodes. I was giving the database host instead of Ranger admin host in "policymgr_external_url" property. Correcting it solved the issue. Thanks for your reply.