Support Questions

blanca_sanz · ‎04-28-2016

Hello,

First of all, sorry for my english. When I try to sync ldap with memberUid, only sync users but don't sync groups. This is the part in the log with groups part:

 groupSearchEnabled: true,  groupSearchBase: ou=Samba,dc=example,dc=es,  groupSearchScope: 2,  groupObjectClass: posixGroup,  groupSearchFilter: cn=*,  extendedGroupSearchFilter: (&(objectclass=posixGroup)(cn=*)(memberUid={0})),  extendedAllGroupsSearchFilter: (&(objectclass=posixGroup)(cn=*)),  groupMemberAttributeName: memberUid,  groupNameAttribute: cn,  groupUserMapSyncEnabled: false,  ldapReferral: ignore

The problem is that in my LDAP this is the search for groups:

slapd[8101]: conn=1034 op=6 SRCH base="ou=Samba,dc=example,dc=es" scope=2 deref=3 filter="(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))"

Allways append memberUid=uid=user.user,ou=Users,dc=example,dc=es

But we need memberUid=user.user

The following search:

ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))'

Doesn't bring any result. I need this correct search:

ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=user.user))'

Other thing: with the script run.sh in the ldaptool the groups are sync correctly.

Please, help!!

Thanks

spolavarapu · ‎04-28-2016

@Blanca Sanz

Currently ranger usersync support group sync based on the user's full name. Searching LDAP groups based on user's short name (which is usually the case with memberuid attribute value) is going to be supported in upcoming releases. The corresponding apache Jira can be found at https://issues.apache.org/jira/browse/RANGER-893.

Meanwhile the work around is to use File based Sync source.

View solution in original post

aromero · ‎04-28-2016

@Blanca Sanz As a workaround, if the groups you want to sync are associated to the users through the memberOf or ismemberof properties, then you can just disable Group Sync (set Enable Group Sync to No). That will make groups to be sync'd based on the User Search Filter through the memberof property. For example:

User Search Filter:

(|(memberOf=CN=Group1,OU=Users,DC=example,DC=es)(memberOf=CN=Group2,OU=Users,DC=example,DC=es))

User Group Name Attribute:

memberOf

That will sync those groups with Ranger and all associated users that are members of those groups.

blanca_sanz · ‎04-28-2016

Thanks for the answer, but I am using memberUid because I don't have the memberOf properties in my LDAP. It is for that reason that I'm trying to use memberUid.

spolavarapu · ‎04-28-2016

@Blanca Sanz

Currently ranger usersync support group sync based on the user's full name. Searching LDAP groups based on user's short name (which is usually the case with memberuid attribute value) is going to be supported in upcoming releases. The corresponding apache Jira can be found at https://issues.apache.org/jira/browse/RANGER-893.

Meanwhile the work around is to use File based Sync source.

blanca_sanz · ‎04-29-2016

@spolavarapu Thanks for your answer, that is exactly what I was looking for. So I wait for the next release, it will be soon?

Meanwhile, I would try to use File based Sync.

Cloudera Community

Support Questions

Ranger usersync don't sync ldap groups with memberUid

Configuring ranger usersync with AD/LDAP Nested gr...

Configuring Ranger Usersync with AD/LDAP for a com...

Various options supported in Ranger Usersync with ...

Ranger usersync service not able to sync LDAP user...

Ranger Ldap Integration

NiFi Authentication with LDAP Groups

Apache Ranger LDAP / LDAPS configuration

LDAP User/Group Search Filter

Automate the Ambari LDAP sync

Ranger LDAP UserSync User Name Conflict