Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger LDAP UserSync User Name Conflict

avatar
Super Guru

I am working with Ranger LDAP(S) User and Group Sync from within an HDP 3.0 & Ambari 2.7 cluster. I have experienced the same issues on older versions of HDP and Ambari. I have the syncs operational and I am able to get Users and Groups into Ranger. However, from within Ranger UI when I edit the users synced fro Group Sync I am not getting the correct User Name. The User Name is coming over as:

"Lastname \" from "longUserName: CN=LASTNAME\, Firstname,OU=Blah,DC=blah,DC=blah,DC=blah"

How do I get the userName to be mapped correctly? It would be from sAMAccountName which is a configuration for User Sync. Group Sync has no such value...

I am also wondering how to get the First Name, Last Name and Email Address mapped correctly as well? The First Name, Last Name is the same as User Name and Email Address is empty.

This is a POC currently, but showing this to anyone higher up, they will expect the values to map over completely.

1 ACCEPTED SOLUTION

avatar
Expert Contributor
@Steven Matison

With the above configuration (after "Enable User Search" is turned on), you should now be able to see the user (smatison) with samaccountname. Do you see that user in ranger admin?

Few points to consider:

1. When "Enable Group Search First" is "ON" and "Enable User Search" is "OFF", Ranger syncs users using the "Group Member Attribute" which is in general configured with "CN" of the user.

2. When "Enable Group Search First" is "ON" and "Enable User Search" is "ON", Ranger syncs users using the value configured for "Username Attribute" (which is samaccountname in your case).

3. Once the users or groups are sync'd to Ranger, they are not deleted by Ranger automatically. It is a manual operation by ranger admin to go and delete the unused users/groups from UI.

4. For more details on how ranger syncs users and groups with different configuration options, you can refer to these articles:

- https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm...

- https://community.hortonworks.com/articles/105623/various-options-supported-in-ranger-usersync-with....

Thanks,

Sailaja.

View solution in original post

8 REPLIES 8

avatar
Expert Contributor
@Steven Matison

Do you have "Group Search First" enabled (under Group Config tab in Ambari)? If so, please enable "User search" (under User Config tab) as well. Then you can configure the username attribute to "sAMAccountName" so that the users are mapped correctly. Please provide your usersync configuration if you need more help.

>> I am also wondering how to get the First Name, Last Name and Email Address mapped correctly as well? The First Name, Last Name is the same as User Name and Email Address is empty.

This is currently not supported in Ranger. We have an internal jira for tracking this. Please let us know the customer info that is asking for this feature so that we can prioritize accordingly.

Thanks,

Sailaja.

avatar
Super Guru

@spolavarapu The UserSync feature is working with sAMAccountName and those users have the User Name imported correctly. It is the Group Sync that gets all users from the Group with the wrong User Name.

How do i tell Group Sync which username attribute to use?

avatar
Expert Contributor

@Steven Matison,

Is it possible to provide usersync.log file and/or screenshot of "User Configs" and "Group Configs" tabs in Ambari?

avatar
Super Guru

@spolavarapu I have not tried a fresh Group Sync with "Enable User Search" but I did enable it and below I provided a copy of the settings and the log output after restarting Ranger. Is there anything configured incorrectly? To see Enable User Search be effective, do I need to start with a fresh test? The Group Sync Users below were previously synced with that toggle switch in the NO Position. I have changed text to be generic, and only provide 1 group user log line.

UserSync:

84385-usersync.jpg

GroupSync

84383-groupsync.jpg

Log is here:

24 Jul 2018 06:54:46 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization started
24 Jul 2018 06:54:46 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization com
pleted with -- ldapUrl: ldaps://LDAP.NDC.DOMAIN.COM:636, ldapBindDn: CN=svks-dw-ldap,OU=Services,OU=Administrators,
DC=ndc,DC=domain,DC=com, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=hadoop,dc=apache
,dc=org, userSearchBase: [OU=Accounts,DC=ndc,DC=domain,DC=com], userSearchScope: 2, userObjectClass: user, userSearchF
ilter: CN=Matison\, Steven R, extendedUserSearchFilter: null, userNameAttribute: sAMAccountName, userSearch
Attributes: [uSNChanged, sAMAccountName, modifytimestamp], userGroupNameAttributeSet: null, pagedResultsEnabled: true,
pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [OU=Groups,OU=KS,DC=ndc,DC=domain,DC
=com], groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: CN=KS-ABG-ABC Users, extendedGroupSearchFil
ter: (&null(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, group
NameAttribute: cn, groupSearchAttributes: [uSNChanged, member, cn, modifytimestamp], groupUserMapSyncEnabled: true, gro
upSearchFirstEnabled: true, userSearchEnabled: true, ldapReferral: ignore
24 Jul 2018 06:54:46 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
24 Jul 2018 06:54:46 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started
24 Jul 2018 06:54:46 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing Group search first
24 Jul 2018 06:54:47 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]
24 Jul 2018 06:54:47 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]
24 Jul 2018 06:54:47 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]
24 Jul 2018 06:54:47 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]
24 Jul 2018 06:54:47 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedAllGroupsSearchFilter = (&(objectclass=group)(CN=KS-ABG-ABC Users)(|(uSNChanged>=0)(modifyTimestamp>=19691231070000Z)))
24 Jul 2018 06:54:51 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - longUserName: CN=Doe\, John,OU=Resource Admins,OU=Administrators,DC=ndc,DC=domain,DC=com, userName: Doe[ 19 additional results omitted ]
24 Jul 2018 06:54:51 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - No. of members in the group KS-ABG-ABC Users = 20
24 Jul 2018 06:54:51 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getGroups() completed with group count: 1
24 Jul 2018 06:54:51 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - User search is enabled and hence computing user membership.
24 Jul 2018 06:54:51 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=user)(|(uSNChanged>=0)(modifyTimestamp>=19691231070000Z))(CN=Matison\, Steven R))
24 Jul 2018 06:54:51 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 760228369and currentDeltaSyncTime = 760228369
24 Jul 2018 06:54:51 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Updating user count: 0, userName: smatison
24 Jul 2018 06:54:51 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() completed with user count: 0
24 Jul 2018 06:55:01 ERROR LdapDeltaUserGroupBuilder [UnixUserSyncThread] - sink.postUserGroupAuditInfo failed with exception: POST http://c7305.ndc.doman.com:6080/service/xusers/ugsync/auditinfo/ returned a response status of 400 Bad Request
24 Jul 2018 06:55:01 INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink
24 Jul 2018 06:55:01 INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink
<br>

avatar
Expert Contributor
@Steven Matison

With the above configuration (after "Enable User Search" is turned on), you should now be able to see the user (smatison) with samaccountname. Do you see that user in ranger admin?

Few points to consider:

1. When "Enable Group Search First" is "ON" and "Enable User Search" is "OFF", Ranger syncs users using the "Group Member Attribute" which is in general configured with "CN" of the user.

2. When "Enable Group Search First" is "ON" and "Enable User Search" is "ON", Ranger syncs users using the value configured for "Username Attribute" (which is samaccountname in your case).

3. Once the users or groups are sync'd to Ranger, they are not deleted by Ranger automatically. It is a manual operation by ranger admin to go and delete the unused users/groups from UI.

4. For more details on how ranger syncs users and groups with different configuration options, you can refer to these articles:

- https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm...

- https://community.hortonworks.com/articles/105623/various-options-supported-in-ranger-usersync-with....

Thanks,

Sailaja.

avatar
Super Guru

I tried on a new cluster, with the settings as you suggest (group sync on, user sync on, group search first on and the results are the same... all the users synced from the Group do not have the sAMAccountname as the username....

How does one get the Group Sync to correctly map the username? (my original post)

avatar
Super Guru

I had to modify my User Search Filter. After I did this the group users synced with UserName = sAMAccountName. However, when doing this, it made UserSync go through the entire LDAPS list of users (1000s)...

avatar

Why do we synch users into Apache ranger? It would be great if someone can explain the reason along with one example.