Support Questions

kamlepooja_raje · ‎07-13-2017

Hi, I am trying to do Ranger AD usersync (HDP version: 2.4.3 and Ambari version: 2.2.2.0) . When I try to do it manually from Ambari UI or pass the configuration through the blueprint, I get following error:

ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details: com.sun.jersey.api.client.ClientHandlerException: java.net.ConnectException: Connection refused (Connection refused)

Not sure, where the problem is. Ping and telnet to the AD server is also successful.

Also, LDAP cert was loaded into a trustStore using following command:

keytool -import -trustcacerts -alias myldap1 -file mycertfile.pem -keystore /etc/pki/java/cacerts

Any solution please?

Attaching usersync.log file.usersync.txt

spolavarapu · ‎07-14-2017

@Pooja Kamle

From the posted usersync logs, it looks like the communication between ranger admin and ranger usersync is failing. Do you have https enabled for ranger admin? If so, please add the ranger admin cert to usersync trust store.

Usersync contacts ranger admin (database) to update the users and groups that are sync'd from AD.

View solution in original post

dsharma · ‎07-14-2017

can you please post the configuration that you gave in ranger usersync config ?

did you specify ldap/ldaps protocol and correct port while configuring usersync

kamlepooja_raje · ‎07-14-2017

@Deepak Sharma Thanks for your reply. Following are my usersync configs:

Sync Source: LDAP/AD

LDAP/AD URL: ldaps://<server>:636

Authentication method: ACTIVE_DIRECTORY

Username Attribute: cn

User Object Class: user

User Search Filter: cn=*

User Search Scope: sub

User Group Name Attribute: memberof

Group Member Attribute: member

Group Name Attribute: cn

Group Object Class: group

Group Search Filter: cn=*

Also, these configs worked with a different Ranger that I had configured before wit the same LDAP cert file. But now I don't understand what the issue is.

rbiswas1 · ‎07-14-2017

Hi @Pooja Kamle

Can you check and post the permissions on these two files:

/usr/hdp/current/ranger-usersync/conf/ugsync.jceks
/usr/hdp/current/ranger-usersync/conf/.ugsync.jceks.crc

Also check the permissions of these two files on the other ranger that is working and verify if they are the same.

spolavarapu · ‎07-14-2017

@Pooja Kamle

From the posted usersync logs, it looks like the communication between ranger admin and ranger usersync is failing. Do you have https enabled for ranger admin? If so, please add the ranger admin cert to usersync trust store.

Usersync contacts ranger admin (database) to update the users and groups that are sync'd from AD.

kamlepooja_raje · ‎07-17-2017

I found the issue. My Ranger admin and ranger database reside on different nodes. I was giving the database host instead of Ranger admin host in "policymgr_external_url" property. Correcting it solved the issue. Thanks for your reply.

Cloudera Community

Support Questions

Ranger AD usersync : ERROR UserGroupSync [UnixUserSyncThread] Connection refused

Configuring Ranger Usersync with AD/LDAP for a com...

Various options supported in Ranger Usersync with ...

connection time out error for ranger usersync

Error running start-all.sh Connection refused

Error while configuring AD usersync on HDP 2.4.3

Apache nifi. Can't connect to Elastisearch due to ...

Ranger usersync 401 unauthorized

ranger usersync connect to ldap failed

How to change Ranger Admin, Usersync, Tagsync Log ...

Ranger Usersync Not Starting