Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger usersync don't sync ldap groups with memberUid

Solved Go to solution
Highlighted

Ranger usersync don't sync ldap groups with memberUid

Explorer

Hello,

First of all, sorry for my english. When I try to sync ldap with memberUid, only sync users but don't sync groups. This is the part in the log with groups part:

 groupSearchEnabled: true,  groupSearchBase: ou=Samba,dc=example,dc=es,  groupSearchScope: 2,  groupObjectClass: posixGroup,  groupSearchFilter: cn=*,  extendedGroupSearchFilter: (&(objectclass=posixGroup)(cn=*)(memberUid={0})),  extendedAllGroupsSearchFilter: (&(objectclass=posixGroup)(cn=*)),  groupMemberAttributeName: memberUid,  groupNameAttribute: cn,  groupUserMapSyncEnabled: false,  ldapReferral: ignore

The problem is that in my LDAP this is the search for groups:

slapd[8101]: conn=1034 op=6 SRCH base="ou=Samba,dc=example,dc=es" scope=2 deref=3 filter="(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))"

Allways append memberUid=uid=user.user,ou=Users,dc=example,dc=es

But we need memberUid=user.user

The following search:

ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))'

Doesn't bring any result. I need this correct search:

ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=user.user))'

Other thing: with the script run.sh in the ldaptool the groups are sync correctly.

Please, help!!

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Ranger usersync don't sync ldap groups with memberUid

Expert Contributor

@Blanca Sanz

Currently ranger usersync support group sync based on the user's full name. Searching LDAP groups based on user's short name (which is usually the case with memberuid attribute value) is going to be supported in upcoming releases. The corresponding apache Jira can be found at https://issues.apache.org/jira/browse/RANGER-893.

Meanwhile the work around is to use File based Sync source.

View solution in original post

4 REPLIES 4

Re: Ranger usersync don't sync ldap groups with memberUid

Explorer

@Blanca Sanz As a workaround, if the groups you want to sync are associated to the users through the memberOf or ismemberof properties, then you can just disable Group Sync (set Enable Group Sync to No). That will make groups to be sync'd based on the User Search Filter through the memberof property. For example:

User Search Filter:

(|(memberOf=CN=Group1,OU=Users,DC=example,DC=es)(memberOf=CN=Group2,OU=Users,DC=example,DC=es))

User Group Name Attribute:

memberOf

That will sync those groups with Ranger and all associated users that are members of those groups.

Highlighted

Re: Ranger usersync don't sync ldap groups with memberUid

Explorer

Thanks for the answer, but I am using memberUid because I don't have the memberOf properties in my LDAP. It is for that reason that I'm trying to use memberUid.

Highlighted

Re: Ranger usersync don't sync ldap groups with memberUid

Expert Contributor

@Blanca Sanz

Currently ranger usersync support group sync based on the user's full name. Searching LDAP groups based on user's short name (which is usually the case with memberuid attribute value) is going to be supported in upcoming releases. The corresponding apache Jira can be found at https://issues.apache.org/jira/browse/RANGER-893.

Meanwhile the work around is to use File based Sync source.

View solution in original post

Highlighted

Re: Ranger usersync don't sync ldap groups with memberUid

Explorer

@spolavarapu Thanks for your answer, that is exactly what I was looking for. So I wait for the next release, it will be soon?

Meanwhile, I would try to use File based Sync.

Don't have an account?
Coming from Hortonworks? Activate your account here