Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger-LDAP integration

avatar
Rising Star

The steps for Ranger configuration (cn=Manager,dc=hortonworks,dc=com etc.) vs LDAP structure (cn=ldapusers,ou=Groups,dc=example,dc=com etc) are not in sync at https://community.hortonworks.com/articles/16696/ranger-ldap-integration.html

Since I don't have much experience on LDAP, is their any reliable step-by-step I can use to quickly get upto speed with Ranger/LDAP integration?

1 ACCEPTED SOLUTION

avatar
Master Guru
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
7 REPLIES 7

avatar
Master Guru
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Rising Star

Thanks @Kuldeep Kulkarni , @Sagar Shimpi

LDAP users synched, however:

  1. LDAP user not able to login using Ranger UI (Invalid credentials error-"The username or password you entered is incorrect..")
  2. LDAP users' group not synched/empty in Ranger UI

avatar
Super Guru

1. Can you make sure the username and password are correct. Try login from cli just to make ensure.

2. Can you attached ranger usersync.log and xa-portal.log.

avatar
Rising Star

@Sagar Shimpi

  1. username/password are correct. How to login in Ranger from cli?
  2. Usersync.log as below. Didnt find xa-portal.log

PS- So far have HDP sandbox setup (with openldap). Not using openldap for domain login.

[root@sandbox ~]# tail -f /usr/hdp/current/ranger-usersync/logs/usersync.log

09 May 2016 09:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.updateSink() completed with user count: 2 09 May 2016 09:53:04 INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink 09 May 2016 10:53:04 INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://localhost:389, ldapBindDn: cn=Manager,dc=my-domain,dc=com, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=my-domain,dc=com, userSearchBase: ou=users,dc=my-domain,dc=com, userSearchScope: 2, userObjectClass: person, userSearchFilter: , extendedUserSearchFilter: (objectclass=person), userNameAttribute: uid, userSearchAttributes: [uid, ismemberof, memberof], userGroupNameAttributeSet: [ismemberof, memberof], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase: dc=my-domain,dc=com, groupSearchScope: 2, groupObjectClass: groupofnames, groupSearchFilter: *, extendedGroupSearchFilter: (&(objectclass=groupofnames)(*)(member={0})), extendedAllGroupsSearchFilter: (&(objectclass=groupofnames)(*)), groupMemberAttributeName: member, groupNameAttribute: cn, groupUserMapSyncEnabled: false, ldapReferral: ignore 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: atewari, groupList: [] 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: sbansal, groupList: [] 09 May 2016 10:53:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.updateSink() completed with user count: 2 09 May 2016 10:53:04 INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink

avatar
Super Guru

@Amit Tewari If you want to have quick setup pls do also refer - https://community.hortonworks.com/articles/30653/openldap-setup.html

Let us know if you have any problems with ranger ldap integration.

avatar
Super Guru
@Amit Tewari

From the usersync log it seems that ranger is able to sync with your ldap, below are the logs -

"LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: atewari,"

"LDAPUserGroupBuilder.updateSink() completed with user count: 2"

Are you able to see "atewari" use in Ranger UI?

Enable debug in ranger - "vi /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/log4j.xml"

replace info with debug in above file and restart ranger.

Check xa-portal.log and see if you are able to see any error.

avatar
Rising Star

Yes able to see "atewari" use in Ranger UI. Thanks.