Support Questions

Find answers, ask questions, and share your expertise

Ranger User sync not able to sync users while group is getting synced.

avatar
Explorer

Hi, 

 

I am facing an issue while running ranger user sync. It's able to sync groups but not users. I am not getting any errors also. 

4 REPLIES 4

avatar
Community Manager

Not sure if this older solution will help but it's worth a look. 


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Expert Contributor

Hi,

 

Did you enable user search and Please share usersync configs.

 

Regards,

Vamsi 

avatar
Expert Contributor

Hi, Are you able to see the users in the usersync logs ? can you please share the usersync logs from ranger and also some users which are not synced to check logs. 

avatar
Expert Contributor

Hi,

 

Below are configuration for connecting Apache Ranger with LDAP/LDAPS. There's an important tool that will help to identify some settings in your AD AD Explorer - Windows Sysinternals | Microsoft Docs

 This configuration will sync LDAP users and link them with their LDAP groups every 12 hour, so you later from Apache Ranger you can give permission based on LDAP groups as well.

 

For connecting using LDAPS, make sure you have the proper certificates added in the same server that contains the Ranger's UserSync service.

 

Configuration NameConfiguration ValueComment
ranger.usersync.source.impl.classorg.apache.ranger.ldapusersync.process.LdapUserGroupBuilder 
ranger.usersync.sleeptimeinmillisbetweensynccycle12 hour 
ranger.usersync.ldap.urlldaps://myldapserver.example.comldaps or ldap based on your LDAP security
ranger.usersync.ldap.binddnmyuser@example.com 
ranger.usersync.ldap.ldapbindpasswordmypassword 
ranger.usersync.ldap.searchBaseOU=hadoop,DC=example,DC=comyou can browse your AD and check which OU you want to make Ranger sync
ranger.usersync.ldap.user.searchbaseOU=hadoop2,DC=example,DC=com;OU=hadoop,DC=example,DC=comyou can browse your AD and check which OU you want to make Ranger sync, you can also add 2 OU and separate them with ;
ranger.usersync.ldap.user.objectclassuserdouble check the same 
ranger.usersync.ldap.user.searchfilter(memberOf=CN=HADOOP_ACCESS,DC=example,DC=com)if you want to filter specific users to be synced in ranger and not your entire AD
ranger.usersync.ldap.user.nameattributesAMAccountNamedouble check the same
ranger.usersync.ldap.user.groupnameattributememberOfdouble check the same
ranger.usersync.user.searchenabledtrue 
ranger.usersync.group.searchbaseOU=hadoop,DC=example,DC=comyou can browse your AD and check which OU you want to make Ranger sync
ranger.usersync.group.objectclassgroupdouble check the same
ranger.usersync.group.searchfilter(cn=hadoop_*)if you want to sync specific groups not all AD groups
ranger.usersync.group.nameattributecndouble check the same
ranger.usersync.group.memberattributenamememberdouble check the same
ranger.usersync.group.search.first.enabledtrue 
ranger.usersync.truststore.file/path/to/truststore-file 
ranger.usersync.truststore.password
TRUST_STORE_PASSWORD 

 

 

There's some helpful links about how to construct complex LDAP search queries Search Filter Syntax - Win32 apps | Microsoft Docs

 

Best Regards,