Support Questions
Find answers, ask questions, and share your expertise

Ranger Usersync didn't fetching users and groups from LDAPS/AD

Contributor

HDP 2.3, Ambari 2.2

Please see the Ranger usersync log below. The users and groups are not fetching from LDAPS/AD in Ranger usersync.

INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink 
INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 
INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started 
INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with --  ldapUrl: ldaps://xxx-pro-ods-ed.infra.xxxcorp.net:636,  ldapBindDn: cn=ranger_ldap,ou=Applications,o=zz.com,  ldapBindPassword: ***** ,  ldapAuthenticationMechanism: simple,  searchBase: o=zz.com,  userSearchBase: o=zz.com,  userSearchScope: 2,  userObjectClass: person,  userSearchFilter: (|(memberof=uid={0},ou=Peoples,o=zz.com)(memberof=cn=ranger_ldap,ou=Applications,o=zz.com)),  extendedUserSearchFilter: (&(objectclass=person)(|(memberof=uid={0},ou=Peoples,o=zz.com)(memberof=cn=ranger_ldap,ou=Applications,o=zz.com))),  userNameAttribute: uid,cn,  userSearchAttributes: [uid,cn, memberof, ismemberof],  userGroupNameAttributeSet: [memberof, ismemberof],  pagedResultsEnabled: true,  pagedResultsSize: 500,  groupSearchEnabled: true,  groupSearchBase: ou=Groups,o=zz.com,  groupSearchScope: 2,  groupObjectClass: groupofnames,  groupSearchFilter: (|(memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)(memberof=cn=edl_*,ou=Groups,o=zz.com)),  extendedGroupSearchFilter: (&(objectclass=groupofnames)(|(memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)(memberof=cn=edl_*,ou=Groups,o=zz.com))(member={0})),  extendedAllGroupsSearchFilter: (&(objectclass=groupofnames)(|(memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)(memberof=cn=edl_*,ou=Groups,o=zz.com))),  groupMemberAttributeName: member,  groupNameAttribute: cn,  groupUserMapSyncEnabled: true,  ldapReferral: ignore 
INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.updateSink() completed with user count: 0 
INFO LdapUserGroupBuilder [UnixUserSyncThread] - groupSearch is enabled, would search for groups and compute memberships 
INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started 
INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with --  ldapUrl: ldaps://xxx-pro-ods-ed.infra.xxxcorp.net:636,  ldapBindDn: cn=ranger_ldap,ou=Applications,o=zz.com,  ldapBindPassword: ***** ,  ldapAuthenticationMechanism: simple,  searchBase: o=zz.com,  userSearchBase: o=zz.com,  userSearchScope: 2,  userObjectClass: person,  userSearchFilter: (|(memberof=uid={0},ou=Peoples,o=zz.com)(memberof=cn=ranger_ldap,ou=Applications,o=zz.com)),  extendedUserSearchFilter: (&(objectclass=person)(|(memberof=uid={0},ou=Peoples,o=zz.com)(memberof=cn=ranger_ldap,ou=Applications,o=zz.com))),  userNameAttribute: uid,cn,  userSearchAttributes: [uid,cn, memberof, ismemberof],  userGroupNameAttributeSet: [memberof, ismemberof],  pagedResultsEnabled: true,  pagedResultsSize: 500,  groupSearchEnabled: true,  groupSearchBase: ou=Groups,o=zz.com,  groupSearchScope: 2,  groupObjectClass: groupofnames,  groupSearchFilter: (|(memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)(memberof=cn=edl_*,ou=Groups,o=zz.com)),  extendedGroupSearchFilter: (&(objectclass=groupofnames)(|(memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)(memberof=cn=edl_*,ou=Groups,o=zz.com))(member={0})),  extendedAllGroupsSearchFilter: (&(objectclass=groupofnames)(|(memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)(memberof=cn=edl_*,ou=Groups,o=zz.com))),  groupMemberAttributeName: member,  groupNameAttribute: cn,  groupUserMapSyncEnabled: true,  ldapReferral: ignore 
INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink
8 REPLIES 8

Re: Ranger Usersync didn't fetching users and groups from LDAPS/AD

@Sushil Saxena

You have to provide proper settings in the Ranger configs for AD or LDAP. Take a look on this https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_Install_Guide/content/configuring...

Re: Ranger Usersync didn't fetching users and groups from LDAPS/AD

Hi Neeraj ,

I had a question .

If he just wants to sync the Users into Ranger , shouldn't he set these settings : http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Ranger_Install_Guide/content/ranger_user_...

If he wants to authenticate against his AD credentials in Ranger then he should follow your link as well apart from the one above. Let me know.

Mangesh

Re: Ranger Usersync didn't fetching users and groups from LDAPS/AD

Expert Contributor

@Sushil Saxena

The userSearchFilter: (|(memberof=uid={0},ou=Peoples,o=zz.com)(memberof=cn=ranger_ldap,ou=Applications,o=zz.com)) looks different to me. Can you please let me know what you are trying to do? Also, userNameAttribute: uid,cn, we don't support multiple values for user name attribute. Can you please check?

Re: Ranger Usersync didn't fetching users and groups from LDAPS/AD

Contributor

ranger_ldap is a bind user having cn=ranger_ldap, ou=Application,o=zz.com. But other users are having uid={0}, ou=Peoples,o=zz.com.

My objecting to get one few groups and their member users in the Ranger usersync.

I also tried (The groups are synchronized but users are missing):

userSearchFilter: (|(cn=TEAM_EDL_Dev,ou=Groups,o=zz.com)(cn=edl_core_dev,ou=Groups,o=zz.com))

GroupSearchFilter is: (|(cn=TEAM_EDL_Dev)(cn=edl_core_dev))

Re: Ranger Usersync didn't fetching users and groups from LDAPS/AD

Contributor

@Neeraj Sabharwal

I am able to fetch Groups, but users within groups are not fetching. Here is User Search Filter:

(&(objectClass=inetOrgPerson)(memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com))

Username Attribute: uid

User Group Name Attribute: cn

Re: Ranger Usersync didn't fetching users and groups from LDAPS/AD

@Sushil Saxena @Neeraj Sabharwal

Can you try this ? In your case, instead of objectClass=user, you may need to try objectClass=inetOrgPerson

(&(objectClass=user)(|(memberof=CN=Group1,OU=Unix,OU=Groups,o=zz.com)(memberof=CN=Group2,OU=PrivilegedAccessGGs,OU=Groups,o=zz.com)))

Re: Ranger Usersync didn't fetching users and groups from LDAPS/AD

Contributor

@Shishir Saxena @Neeraj Sabharwal

With object class: person, and user search filter: empty, it fetched all users from all groups.

To filter users, I tried this user search filter:

(&(objectClass=person)(memberof=cn=TEAM_EDL_Dev,ou=Groups,o=zz.com))

User Group Name Attribute : cn ( I also tried memberof, ismemberof)

Nothing works out. No users has been fetched at all.

Re: Ranger Usersync didn't fetching users and groups from LDAPS/AD

Hi Sushil ,

Has this query been resolved. If yes, what is the solution .

Regards,

Mangesh