Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger usersync service not able to sync LDAP users and groups

Labels:
avatar
author-rank nhgodwal
Contributor

Created ‎02-20-2018 01:59 AM

I am configuring ldap in usersync install.properties file, attached here install.txt.

My user ldif file is attached here: users.txt

I am not able to see any errors in usersync logs:

2018 01:34:38 INFO UnixAuthenticationService [main] - Starting User Sync Service! 20 Feb 2018 01:34:38 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex 20 Feb 2018 01:34:38 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex 20 Feb 2018 01:34:38 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created 20 Feb 2018 01:34:38 INFO UserGroupSyncConfig [UnixUserSyncThread] - Sleep Time Between Cycle can not be lower than [3600000] millisec. resetting to min value. 20 Feb 2018 01:34:38 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder 20 Feb 2018 01:34:39 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex 20 Feb 2018 01:34:39 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization started 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization completed with -- ldapUrl: ldap://localhost:33389, ldapBindDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=hadoop,dc=apache,dc=org, userSearchBase: [ou=people,dc=hadoop,dc=apache,dc=org], userSearchScope: 2, userObjectClass: person, userSearchFilter: (uid=*), extendedUserSearchFilter: null, userNameAttribute: uid, userSearchAttributes: [uid, uSNChanged, modifytimestamp], userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [ou=groups,dc=hadoop,dc=apache,dc=org], groupSearchScope: 2, groupObjectClass: groupofnames, groupSearchFilter: (cn=*), extendedGroupSearchFilter: (&null(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, member, cn, modifytimestamp], groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(uid=*)) 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() completed with user count: 0 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedAllGroupsSearchFilter = (&(objectclass=groupofnames)(cn=*)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))) 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getGroups() completed with group count: 0 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service! 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello] 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1] 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1] 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]I have configured ldap as sync_source in install.properties. I have attached the config file.

Still no user or group synching in ranger ui.

Please help!

install.txt
Preview file
8 KB
users.txt
Preview file
4 KB
14,170 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎02-26-2018 06:51 PM

@GN_Exp,

In order to disable incremental sync following properties are to be set in ranger-ugsync-site.xml:

<property>
  <name>ranger.usersync.ldap.deltasync</name>
  <value>false</value>
</property>

<property>
  <name>ranger.usersync.sink.impl.class</name>
  <value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value>
</property>

View solution in original post

13,141 Views
0 Kudos
0
8 REPLIES 8

avatar
author-rank sagarshimpi
Expert Contributor

Created ‎02-20-2018 05:18 AM

@GN_Exp

Can you pass below details -

1. Ranger install.properties

2. ranger ugsync install.properties

3. output of -
$ldapsearch -x -b "dc=example,dc=com" [replace example with your domain name]

13,141 Views
0 Kudos

avatar
author-rank nhgodwal
Contributor

Created on ‎02-20-2018 05:30 AM - last edited on ‎07-08-2024 01:46 PM by Community Manager Community Manager

2. usersync-install.txt

3. ldapsearch -x -b "dc=hadoop,dc=apache,dc=org"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

usersync-install.txt
Preview file
8 KB
13,141 Views
0 Kudos

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎02-23-2018 01:57 AM

@GN_Exp,

From the logs I see that ranger is able to connect to the ldap server but the server return 0 users and 0 groups. Can you run the following ldap search command:

ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(uid=*))" -W

enter admin password when prompted. If this returns all the entries from ou=people, then can you try the following ldap search command:

ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(uid=*))" -W

enter admin password when prompted. If this doesn't return any entries, then you can try disable "incremental sync" from ranger user info config. May be your ldap doesn't support modifyTimestamp attribute?

Hope this helps!

13,141 Views
0 Kudos

avatar
author-rank sagarshimpi
Expert Contributor

Created ‎02-23-2018 04:31 AM

@spolavarapu Found this as a BUG - https://issues.apache.org/jira/browse/RANGER-1615?page=com.atlassian.jira.plugin.system.issuetabpane...

Can you confirm if this is fix in latest version of Ranger 0.7 ?

13,141 Views
0 Kudos

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎02-23-2018 05:37 AM

@Sagar Shimpi

This is not related as the issue here is even the users are not sync'd.

And about RANGER-1615, the way we retrieve the groups when incremental sync is enabled is different from when the incremental sync is disabled. For more details on the incremental sync design and implementation, please refer to https://issues.apache.org/jira/browse/RANGER-1211

13,141 Views
0 Kudos

avatar
author-rank nhgodwal
Contributor

Created ‎02-23-2018 05:23 PM

@spolavarapu

Thanks for the clarification. Can you please tell me how to disable default incremental sync. I am doing manual installation (not with Ambari). I am not sure which property I need to set for disabling incremental sync.

13,141 Views
0 Kudos

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎02-26-2018 06:51 PM

@GN_Exp,

In order to disable incremental sync following properties are to be set in ranger-ugsync-site.xml:

<property>
  <name>ranger.usersync.ldap.deltasync</name>
  <value>false</value>
</property>

<property>
  <name>ranger.usersync.sink.impl.class</name>
  <value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value>
</property>
13,142 Views
0 Kudos
0

avatar
author-rank nhgodwal
Contributor

Created ‎02-27-2018 06:35 PM

Thanks @spolavarapu. This worked for me.

13,141 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements