Support Questions
Find answers, ask questions, and share your expertise

Ranger admin password authentication from openldap


Hello Team,

I have a query for ranger admin account authentication to be done from Openldap server.

-- When i login to ranger UI, it asks for credentials and i put default i.e. admin - admin and its logged me in.


Ranger is integrated with Openldap by updating ldap configs in ranger - config - advanced - common configs, users config and group configs.

Question1: Now if i login back to ranger UI, will it accept Ranger default admin credenatial or it will accept openldap admin credential?


Ranger plugin for any service like hdfs have username/password mentioned which is also by default admin/admin.

After integrating with openldap does the openldap admin password needs to updated in UI of ranger hdfs plugin and under hdfs service - config - ranger-hdfs-plugin properties?

- Vijay Mishra


Question 1:

-- Internal users will work fine even after LDAP integration. 'admin' user is internal user and it should work fine.

-- LDAP users are considered external users from Ranger perspective and Ranger UI should show them as external.

-- LDAP users should use the LDAP password to login to Ranger.

Question 2:

-- No need to update any plugin properties.

-- In kerberos env, plugins use keytabs for downloading policies from ranger. For resource lookup, rangerlookup keytab is used.



Thnkx for thr reply.

Query on question1:

So post ldap integration even ldap have user admin in it, but while login on ranger UI user admin will get authenticated by Ranger DB not by openldap, rt ?

Query on Question2:

a. No kerberos:

All plugins repo have username/password defined which is admin/admin, so post ldap integration plugin repo will get authenticated by Ranger DB or openldap?

b. With kerberos:

Do i need to create separate/single principal/keytab for all plugin repo of Ranger like hdfs,hbase,kafka,yarn,etc?

- Vijay Mishra


Internal users will be authenticated via Ranger password while LDAP users will be authenticated by LDAP password. If you want to designate LDAP user as a "ranger admin" user, you need to change their role within Ranger UI.

With kerberos, Ambari will generate all required keytabs. User name/password defined in repo is used only for lookup (ranger uses this information to talk to the actual service - so no LDAP or ranger authentication here), so it needs to be configured as required.

Hope this helps.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.