Support Questions

Find answers, ask questions, and share your expertise

Ranger is not getting updated with all the Active Directory accounts in kerberos enabled environment.


Ranger is not getting updated with all the Active Directory accounts.

select * from x_portal_user; ---> does not show Active Directory accounts.

ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User Group Info -- Connection reset

Kerberos was successfully implemented. After enabling kerberos following values we set for ranger.

1) ranger.usersync.kerberos.keytab : /etc/security/keytabs/rangerusersync.service.keytab

2) ranger.usersync.kerberos.principal : rangerusersync/_HOST@DEV.DATAQUEST.COM

3) ranger.usersync.policymgr.username : rangerusersync

But klist for keytab show the principal as : rangerusersync/

Note : we do not have any ssl implementation and certificate or keystore adn thruststore is not needed for us.

below is the error message from usersync.log


07 Sep 2017 05:02:42 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User Group Info : com.sun.jersey.api.client.ClientHandlerException: Connection reset at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle( at com.sun.jersey.api.client.Client.handle( at com.sun.jersey.api.client.WebResource.handle( at com.sun.jersey.api.client.WebResource.access$200( at com.sun.jersey.api.client.WebResource$ at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getUsergroupInfo( at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$500( at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$ at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$ at Method) at at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addUserGroupInfo( at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUser( at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink( at at Caused by: Connection reset at at at at at at at at at at at at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke( at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle( ... 15 more 07 Sep 2017 05:02:42 INFO LdapUserGroupBuilder [UnixUserSyncThread] - groupSearch is enabled, would search for groups and compute memberships 07 Sep 2017 05:02:43 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getGroups() completed with group count: 0


Any help is really appreciated.



@Jacqualin jasmin

Could you give me the below parameters

Ranger -->Configs-->Ranger info

Ranger -->Configs-->Advanced


Did you add new properties in the custom ranger-site like

Please revert


Good Morning Geoffrey

FYI (member=uid={0},ou=Users,dc=dev,dc=dataquest,dc=com) dc=dev,dc=dataquest,dc=com

********Rest of my configuration is as below ******

---- common configs -----

ranger.usersync.source.impl.class = LDAP/AD

ranger.usersync.source.impl.class = org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder

ranger.usersync.ldap.url=ldaps:// ranger.usersync.ldap.binddn=ad-auth ranger.usersync.ldap.ldapbindpassword=xxxxxxxxxxxx

------- user configs

ranger.usersync.ldap.user.searchbase = dc=dev,dc=dataquest,dc=com ranger.usersync.ldap.user.searchfilter = (objectcategory=person) ranger.usersync.ldap.user.searchscope = sub

ranger.usersync.ldap.user.objectclass = person

ranger.usersync.ldap.user.nameattribute = sAMAccountName ranger.usersync.ldap.user.groupnameattribute = memberof,ismemberof

------------------ group configs -------------------------------------------------- = dc=dev,dc=dataquest,dc=com = ou=core,dc=dev,dc=dataquest,dc=com = groupofnames = distinguishedName = member = true

--------------------- ranger ——> advance —— LDAP settings

ranger.ldap.base.dn = dc=dev,dc=dataquest,dc=com

ranger.ldap.bind.dn =ad-auth

ranger.ldap.bind.password=xxxxxxxx = uid

ranger.ldap.referral = ignore

ranger.ldap.url = ldaps://

ranger.ldap.user.dnpattern = cn=ldapadmin,ou=Users,dc=dev,dc=dataquest,dc=com ranger.ldap.user.searchfilter =(uid={0})

ranger.usersync.ldap.referral = follow

ranger.ldap.user.dnpattern= cn=ldapadmin,ou=Users,dc=dev,dc=dataquest,dc=com uid

“Advanced ranger-admin-site” and set below properties (member=uid={0},ou=Users,dc=dev,dc=dataquest,dc=com) dc=dev,dc=dataquest,dc=com

Go to “Advanced ranger-ugsync-site” and set below properties - ranger.usersync.ldap.username.caseconversion= none ranger.usersync.ldap.searchBase=dc=dev,dc=dataquest,dc=com sub ranger.usersync.ldap.groupname.caseconversion= none

ranger.usersync.ldap.bindalias= testldapalias


*************** Advanced ranger-tagsync-site ranger.tagsync.dest.ranger.ssl.config.filename=

Advanced ranger-ugsync-site


ranger.usersync.sleeptimeinmillisbetweensynccycle = 86400000


Waiting for your valuable suggestion.

Super Collaborator

hi @Jacqualin jasmin,

From the details you have provided, there has not been any value set for the ranger.usersync.truststore.file

but I can see that you are using the LDAP"S" , there has not been any trust established, looks thats the reason for connection timeout while you are connecting to the ldap server.

can I request you to add the certificate of LDAP server to the trust store and update the trust store password (if you set so)

One more thing is that,

I can see, ranger.ldap.user.searchfilter =(uid={0}) and ranger.usersync.ldap.user.nameattribute = sAMAccountName

can you please check what exactly the attribute for the user, ` if it happen to be AD(Microsoft) can you please update to

ranger.ldap.user.searchfilter =(sAMAccountName=* or cn=*)

and lastly to validate the connection you may use the following ldapsearch command before you made any changes to the configuration, make. suer the search base and search strings are working as expected and producing only one result.

ldapsearch -x -H ldaps://<ldap_server>:636 -b "<search base>"  -D "<bind user string>" -w <bind password> <filter Conddition>
in your case :
    search base     : ou=Users,dc=dev,dc=dataquest,dc=com
    bind user string: cn=ldapadmin,ou=Users,dc=dev,dc=dataquest,dc=com
    bind password   :<xxxxxx>
    filter Conddition : sAMAccountName=<test_userin AD>     #or if it happen to have uid attrubte then uid=<testuser> 


Hi Raju Sir,

our issue got resolved. We had a vip ( HA for ranger) . policymgr_external_url was set to vip name. That was not resolving correctly. When we change policymgr_external_url to actual hostname , we can see AD a/c coming into Ranger

Thanks for all your support and follow-up. Good Work you guys