Support Questions
Find answers, ask questions, and share your expertise

Ranger - sync users from AD based on group name

Solved Go to solution

Ranger - sync users from AD based on group name

Explorer

Hi,

I need to synchronize users from AD to Ranger. My requirement is fairly simple: synchronize all users who belong to specific groups. The group names are prefixed with a specific keyword. I found a way to achieve this, but I am wondering if there's a better way.

What's important, I want to use the AD attribute "sAMAccountName" as the user name.

In Ambari, in the Ranger User Info tab I tried certain combinations of usersync parameters.

1. At first I tried:

  • Group Search Filter: (cn=myprefix*)
  • Enable Group Sync: YES
  • Enable Group Search First: YES
  • Enable User Search: NO

This was almost what I wanted, but there is a problem with that. The user name is taken directly from the "member" attribute in the group record and in my case it is different from sAMAccountName.

2. I changed the above settings to:

  • Group Search Filter: (cn=myprefix*)
  • Enable Group Sync: YES
  • Enable Group Search First: YES
  • User Search Filter: (memberOf=cn=myprefix*)
  • Enable User Search: YES
  • Group User Map Sync: YES

Unfortunately this doesn't work because LDAP built into AD does not support wildcard queries on the memberOf attribute (at least the version I have).

3. I changed the above settings to:

  • Group Search Filter: (cn=myprefix*)
  • Enable Group Sync: YES
  • Enable Group Search First: YES
  • User Search Filter: (|(memberOf=CN=myprefix-group1,CN=Users,DC=mydomain,DC=local)(memberOf=CN=myprefix-group2,CN=Users,DC=mydomain,DC=local))
  • Enable User Search: YES
  • Group User Map Sync: YES

And this does what I want. The problem I have with it is that I need to clearly specify the names of the groups in the user search filter. The group names and the number of them will change in the future and I would like to avoid changing the filter each time. Is it possible at all?

Thanks and Regards,

Pit

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Ranger - sync users from AD based on group name

Expert Contributor

@Pit Err,

You are in right direction with option #3 above. One minor change is that, you can use "cn=*" in the user search filter instead. When group search first is enabled and user search is enabled, then the logic is -

1. First sync all the groups based on the group configuration (including group search base and group search filter).

2. Cache all the members for each group using the member attribute.

3. For syncing the users -

a. If user search is not enabled, then just use the short name for the user names (from member attribute of the user)

b. If user search is enabled, then sync the users based on the user configuration (including user search base and user search filter) and the cached users from step2. For the users that are in the cache, update the username with samaccountname retrieved from the user search. Discard all the other users from the user search base and user search filter that doesn't match the cached users from step2. Effectively, you are just getting all the users from the groups that are sync'd from step1.

Hope this helps,

Thanks,

Sailaja.

View solution in original post

2 REPLIES 2

Re: Ranger - sync users from AD based on group name

Expert Contributor

@Pit Err,

You are in right direction with option #3 above. One minor change is that, you can use "cn=*" in the user search filter instead. When group search first is enabled and user search is enabled, then the logic is -

1. First sync all the groups based on the group configuration (including group search base and group search filter).

2. Cache all the members for each group using the member attribute.

3. For syncing the users -

a. If user search is not enabled, then just use the short name for the user names (from member attribute of the user)

b. If user search is enabled, then sync the users based on the user configuration (including user search base and user search filter) and the cached users from step2. For the users that are in the cache, update the username with samaccountname retrieved from the user search. Discard all the other users from the user search base and user search filter that doesn't match the cached users from step2. Effectively, you are just getting all the users from the groups that are sync'd from step1.

Hope this helps,

Thanks,

Sailaja.

View solution in original post

Re: Ranger - sync users from AD based on group name

Explorer

@spolavarapu

Thank you. This works as I wanted.

Previously I missed the point that when "group search first"=YES and "enable user serch"=YES, the usersync service does a kind of join between the list of users extracted from group definitions and the users from user search query.

In my case i must implement a small optimization. The AD, I will bind to eventually, is a large directory of users. I don't want the user search to get the whole directory so I created an additional group. It'll be used expose it's members to Hadoop. Of course I added the group to the user search filter. To make a user available in Ranger, I will add it to this group and other, more specific groups (which will act as roles).

Regards,

Pit