Support Questions

Jacqueline · ‎09-07-2017

Ranger is not getting updated with all the Active Directory accounts.

select * from x_portal_user; ---> does not show Active Directory accounts.

ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User Group Info -- Connection reset

Kerberos was successfully implemented. After enabling kerberos following values we set for ranger.

1) ranger.usersync.kerberos.keytab : /etc/security/keytabs/rangerusersync.service.keytab

2) ranger.usersync.kerberos.principal : rangerusersync/_HOST@DEV.DATAQUEST.COM

3) ranger.usersync.policymgr.username : rangerusersync

But klist for keytab show the principal as : rangerusersync/rng-node1.dev.dataquest.com@DEV.DATAQUEST.COM

Note : we do not have any ssl implementation and certificate or keystore adn thruststore is not needed for us.

below is the error message from usersync.log

```

07 Sep 2017 05:02:42 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User Group Info : com.sun.jersey.api.client.ClientHandlerException: java.net.SocketException: Connection reset at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:151) at com.sun.jersey.api.client.Client.handle(Client.java:648) at com.sun.jersey.api.client.WebResource.handle(WebResource.java:680) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:568) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getUsergroupInfo(PolicyMgrUserGroupBuilder.java:567) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$500(PolicyMgrUserGroupBuilder.java:72) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:539) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:535) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addUserGroupInfo(PolicyMgrUserGroupBuilder.java:535) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUser(PolicyMgrUserGroupBuilder.java:340) at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:327) at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) at java.lang.Thread.run(Thread.java:748) Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:210) at java.net.SocketInputStream.read(SocketInputStream.java:141) at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) at java.io.BufferedInputStream.read1(BufferedInputStream.java:286) at java.io.BufferedInputStream.read(BufferedInputStream.java:345) at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:735) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:678) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:706) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1569) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474) at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:249) at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149) ... 15 more 07 Sep 2017 05:02:42 INFO LdapUserGroupBuilder [UnixUserSyncThread] - groupSearch is enabled, would search for groups and compute memberships 07 Sep 2017 05:02:43 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getGroups() completed with group count: 0

```

Any help is really appreciated.

Shelton · ‎09-07-2017

@Jacqualin jasmin

Could you give me the below parameters

Ranger -->Configs-->Ranger info

Ranger -->Configs-->Advanced

Whats your GROUP SEARCH BASE and GROUP SEARCH FILTER

Did you add new properties in the custom ranger-site like

range.ldap.ad.base.dn
range.ldap.ad.bind.dn
range.ldap.ad.bind.password
range.ldap.ad.referral

Please revert

Jacqueline · ‎09-07-2017

Good Morning Geoffrey

FYI

ranger.ldap.group.searchfilter= (member=uid={0},ou=Users,dc=dev,dc=dataquest,dc=com)

ranger.ldap.group.searchbase= dc=dev,dc=dataquest,dc=com

********Rest of my configuration is as below ******

---- common configs -----

ranger.usersync.source.impl.class = LDAP/AD

ranger.usersync.source.impl.class = org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder

ranger.usersync.ldap.url=ldaps://ad.dev.dataquest.com:636 ranger.usersync.ldap.binddn=ad-auth ranger.usersync.ldap.ldapbindpassword=xxxxxxxxxxxx

------- user configs

ranger.usersync.ldap.user.searchbase = dc=dev,dc=dataquest,dc=com ranger.usersync.ldap.user.searchfilter = (objectcategory=person) ranger.usersync.ldap.user.searchscope = sub

ranger.usersync.ldap.user.objectclass = person

ranger.usersync.ldap.user.nameattribute = sAMAccountName ranger.usersync.ldap.user.groupnameattribute = memberof,ismemberof

------------------ group configs -------------------------------------------------- ranger.usersync.group.searchbase = dc=dev,dc=dataquest,dc=com ranger.usersync.group.searchfilter = ou=core,dc=dev,dc=dataquest,dc=com ranger.usersync.group.objectclass = groupofnames ranger.usersync.group.nameattribute = distinguishedName ranger.usersync.group.memberattributename = member ranger.usersync.group.searchenabled = true ranger.usersync.group.search.first.enabled=false

--------------------- ranger ——> advance —— LDAP settings

ranger.ldap.base.dn = dc=dev,dc=dataquest,dc=com

ranger.ldap.bind.dn =ad-auth

ranger.ldap.bind.password=xxxxxxxx

ranger.ldap.group.roleattribute = uid

ranger.ldap.referral = ignore

ranger.ldap.url = ldaps://ad.dev.dataquest.com:636

ranger.ldap.user.dnpattern = cn=ldapadmin,ou=Users,dc=dev,dc=dataquest,dc=com ranger.ldap.user.searchfilter =(uid={0})

ranger.usersync.ldap.referral = follow

ranger.ldap.user.dnpattern= cn=ldapadmin,ou=Users,dc=dev,dc=dataquest,dc=com ranger.ldap.group.roleattribute= uid

“Advanced ranger-admin-site” and set below properties

ranger.ldap.group.searchfilter= (member=uid={0},ou=Users,dc=dev,dc=dataquest,dc=com) ranger.ldap.group.searchbase= dc=dev,dc=dataquest,dc=com

Go to “Advanced ranger-ugsync-site” and set below properties - ranger.usersync.ldap.username.caseconversion= none ranger.usersync.ldap.searchBase=dc=dev,dc=dataquest,dc=com ranger.usersync.group.searchscope= sub ranger.usersync.ldap.groupname.caseconversion= none

ranger.usersync.ldap.bindalias= testldapalias

ranger.usersync.sink.impl.class=org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder

*************** Advanced ranger-tagsync-site ranger.tagsync.dest.ranger.ssl.config.filename=

Advanced ranger-ugsync-site

ranger.usersync.truststore.file=

ranger.usersync.sleeptimeinmillisbetweensynccycle = 86400000

****************************************

Waiting for your valuable suggestion.

bkosaraju · ‎09-08-2017

hi @Jacqualin jasmin,

From the details you have provided, there has not been any value set for the ranger.usersync.truststore.file

but I can see that you are using the LDAP"S" , there has not been any trust established, looks thats the reason for connection timeout while you are connecting to the ldap server.

can I request you to add the certificate of LDAP server to the trust store and update the trust store password (if you set so)

One more thing is that,

I can see, ranger.ldap.user.searchfilter =(uid={0}) and ranger.usersync.ldap.user.nameattribute = sAMAccountName

can you please check what exactly the attribute for the user, ` if it happen to be AD(Microsoft) can you please update to

ranger.ldap.user.searchfilter =(sAMAccountName=* or cn=*)

and lastly to validate the connection you may use the following ldapsearch command before you made any changes to the configuration, make. suer the search base and search strings are working as expected and producing only one result.

ldapsearch -x -H ldaps://<ldap_server>:636 -b "<search base>"  -D "<bind user string>" -w <bind password> <filter Conddition>
in your case :
    search base     : ou=Users,dc=dev,dc=dataquest,dc=com
    bind user string: cn=ldapadmin,ou=Users,dc=dev,dc=dataquest,dc=com
    bind password   :<xxxxxx>
    filter Conddition : sAMAccountName=<test_userin AD>     #or if it happen to have uid attrubte then uid=<testuser>

Jacqueline · ‎09-11-2017

Hi Raju Sir,

our issue got resolved. We had a vip ( HA for ranger) . policymgr_external_url was set to vip name. That was not resolving correctly. When we change policymgr_external_url to actual hostname , we can see AD a/c coming into Ranger

Thanks for all your support and follow-up. Good Work you guys

Regards

JJ

Support Questions

Ranger is not getting updated with all the Active Directory accounts in kerberos enabled environment.