Support Questions

Find answers, ask questions, and share your expertise

Ranger usersync don't sync ldap groups with memberUid

avatar
Contributor

Hello,

First of all, sorry for my english. When I try to sync ldap with memberUid, only sync users but don't sync groups. This is the part in the log with groups part:

 groupSearchEnabled: true,  groupSearchBase: ou=Samba,dc=example,dc=es,  groupSearchScope: 2,  groupObjectClass: posixGroup,  groupSearchFilter: cn=*,  extendedGroupSearchFilter: (&(objectclass=posixGroup)(cn=*)(memberUid={0})),  extendedAllGroupsSearchFilter: (&(objectclass=posixGroup)(cn=*)),  groupMemberAttributeName: memberUid,  groupNameAttribute: cn,  groupUserMapSyncEnabled: false,  ldapReferral: ignore

The problem is that in my LDAP this is the search for groups:

slapd[8101]: conn=1034 op=6 SRCH base="ou=Samba,dc=example,dc=es" scope=2 deref=3 filter="(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))"

Allways append memberUid=uid=user.user,ou=Users,dc=example,dc=es

But we need memberUid=user.user

The following search:

ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))'

Doesn't bring any result. I need this correct search:

ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=user.user))'

Other thing: with the script run.sh in the ldaptool the groups are sync correctly.

Please, help!!

Thanks

1 ACCEPTED SOLUTION

avatar
Expert Contributor

@Blanca Sanz

Currently ranger usersync support group sync based on the user's full name. Searching LDAP groups based on user's short name (which is usually the case with memberuid attribute value) is going to be supported in upcoming releases. The corresponding apache Jira can be found at https://issues.apache.org/jira/browse/RANGER-893.

Meanwhile the work around is to use File based Sync source.

View solution in original post

4 REPLIES 4

avatar
Contributor

@Blanca Sanz As a workaround, if the groups you want to sync are associated to the users through the memberOf or ismemberof properties, then you can just disable Group Sync (set Enable Group Sync to No). That will make groups to be sync'd based on the User Search Filter through the memberof property. For example:

User Search Filter:

(|(memberOf=CN=Group1,OU=Users,DC=example,DC=es)(memberOf=CN=Group2,OU=Users,DC=example,DC=es))

User Group Name Attribute:

memberOf

That will sync those groups with Ranger and all associated users that are members of those groups.

avatar
Contributor

Thanks for the answer, but I am using memberUid because I don't have the memberOf properties in my LDAP. It is for that reason that I'm trying to use memberUid.

avatar
Expert Contributor

@Blanca Sanz

Currently ranger usersync support group sync based on the user's full name. Searching LDAP groups based on user's short name (which is usually the case with memberuid attribute value) is going to be supported in upcoming releases. The corresponding apache Jira can be found at https://issues.apache.org/jira/browse/RANGER-893.

Meanwhile the work around is to use File based Sync source.

avatar
Contributor

@spolavarapu Thanks for your answer, that is exactly what I was looking for. So I wait for the next release, it will be soon?

Meanwhile, I would try to use File based Sync.