Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger-LDAP integration

Labels:
avatar
author-rank amittewari_5
Rising Star

Created ‎05-06-2016 12:01 PM

The steps for Ranger configuration (cn=Manager,dc=hortonworks,dc=com etc.) vs LDAP structure (cn=ldapusers,ou=Groups,dc=example,dc=com etc) are not in sync at https://community.hortonworks.com/articles/16696/ranger-ldap-integration.html

Since I don't have much experience on LDAP, is their any reliable step-by-step I can use to quickly get upto speed with Ranger/LDAP integration?

3,200 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎05-06-2016 12:06 PM

@Amit Tewari - http://crazyadmins.com/how-to-integrate-ranger-with-ldap/

If you have any issues, you can ask here.

@Sagar Shimpi and I Can help you.

View solution in original post

2,756 Views
7 REPLIES 7

avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎05-06-2016 12:06 PM

@Amit Tewari - http://crazyadmins.com/how-to-integrate-ranger-with-ldap/

If you have any issues, you can ask here.

@Sagar Shimpi and I Can help you.

2,757 Views

avatar
author-rank amittewari_5
Rising Star

Created ‎05-09-2016 09:00 AM

Thanks @Kuldeep Kulkarni , @Sagar Shimpi

LDAP users synched, however:

  1. LDAP user not able to login using Ranger UI (Invalid credentials error-"The username or password you entered is incorrect..")
  2. LDAP users' group not synched/empty in Ranger UI
2,756 Views
0 Kudos

avatar
author-rank sshimpi
Super Guru

Created ‎05-09-2016 10:46 AM

1. Can you make sure the username and password are correct. Try login from cli just to make ensure.

2. Can you attached ranger usersync.log and xa-portal.log.

2,756 Views
0 Kudos

avatar
author-rank amittewari_5
Rising Star

Created ‎05-10-2016 04:00 AM

@Sagar Shimpi

  1. username/password are correct. How to login in Ranger from cli?
  2. Usersync.log as below. Didnt find xa-portal.log

PS- So far have HDP sandbox setup (with openldap). Not using openldap for domain login.

[root@sandbox ~]# tail -f /usr/hdp/current/ranger-usersync/logs/usersync.log

09 May 2016 09:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.updateSink() completed with user count: 2 09 May 2016 09:53:04 INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink 09 May 2016 10:53:04 INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://localhost:389, ldapBindDn: cn=Manager,dc=my-domain,dc=com, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=my-domain,dc=com, userSearchBase: ou=users,dc=my-domain,dc=com, userSearchScope: 2, userObjectClass: person, userSearchFilter: , extendedUserSearchFilter: (objectclass=person), userNameAttribute: uid, userSearchAttributes: [uid, ismemberof, memberof], userGroupNameAttributeSet: [ismemberof, memberof], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase: dc=my-domain,dc=com, groupSearchScope: 2, groupObjectClass: groupofnames, groupSearchFilter: *, extendedGroupSearchFilter: (&(objectclass=groupofnames)(*)(member={0})), extendedAllGroupsSearchFilter: (&(objectclass=groupofnames)(*)), groupMemberAttributeName: member, groupNameAttribute: cn, groupUserMapSyncEnabled: false, ldapReferral: ignore 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: atewari, groupList: [] 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: sbansal, groupList: [] 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.updateSink() completed with user count: 2 09 May 2016 10:53:04 INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink

2,756 Views
0 Kudos

avatar
author-rank sshimpi
Super Guru

Created ‎05-06-2016 12:38 PM

@Amit Tewari If you want to have quick setup pls do also refer - https://community.hortonworks.com/articles/30653/openldap-setup.html

Let us know if you have any problems with ranger ldap integration.

2,756 Views
0 Kudos

avatar
author-rank sshimpi
Super Guru

Created ‎05-10-2016 08:02 AM

@Amit Tewari

From the usersync log it seems that ranger is able to sync with your ldap, below are the logs -

"LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: atewari,"

"LDAPUserGroupBuilder.updateSink() completed with user count: 2"

Are you able to see "atewari" use in Ranger UI?

Enable debug in ranger - "vi /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/log4j.xml"

replace info with debug in above file and restart ranger.

Check xa-portal.log and see if you are able to see any error.

2,756 Views
0 Kudos

avatar
author-rank amittewari_5
Rising Star

Created ‎05-10-2016 11:16 AM

Yes able to see "atewari" use in Ranger UI. Thanks.

2,756 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements