Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger usersync service not able to sync LDAP users and groups

avatar
Contributor

I am configuring ldap in usersync install.properties file, attached here install.txt.

My user ldif file is attached here: users.txt

I am not able to see any errors in usersync logs:

2018 01:34:38 INFO UnixAuthenticationService [main] - Starting User Sync Service! 20 Feb 2018 01:34:38 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex 20 Feb 2018 01:34:38 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex 20 Feb 2018 01:34:38 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created 20 Feb 2018 01:34:38 INFO UserGroupSyncConfig [UnixUserSyncThread] - Sleep Time Between Cycle can not be lower than [3600000] millisec. resetting to min value. 20 Feb 2018 01:34:38 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder 20 Feb 2018 01:34:39 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex 20 Feb 2018 01:34:39 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization started 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization completed with -- ldapUrl: ldap://localhost:33389, ldapBindDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=hadoop,dc=apache,dc=org, userSearchBase: [ou=people,dc=hadoop,dc=apache,dc=org], userSearchScope: 2, userObjectClass: person, userSearchFilter: (uid=*), extendedUserSearchFilter: null, userNameAttribute: uid, userSearchAttributes: [uid, uSNChanged, modifytimestamp], userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [ou=groups,dc=hadoop,dc=apache,dc=org], groupSearchScope: 2, groupObjectClass: groupofnames, groupSearchFilter: (cn=*), extendedGroupSearchFilter: (&null(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, member, cn, modifytimestamp], groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(uid=*)) 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() completed with user count: 0 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedAllGroupsSearchFilter = (&(objectclass=groupofnames)(cn=*)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))) 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getGroups() completed with group count: 0 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service! 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello] 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1] 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1] 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]I have configured ldap as sync_source in install.properties. I have attached the config file.

Still no user or group synching in ranger ui.

Please help!

1 ACCEPTED SOLUTION

avatar
Expert Contributor

@GN_Exp,

In order to disable incremental sync following properties are to be set in ranger-ugsync-site.xml:

<property>
<name>ranger.usersync.ldap.deltasync</name>
<value>false</value>
</property> <property> <name>ranger.usersync.sink.impl.class</name> <value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value> </property>

View solution in original post

8 REPLIES 8

avatar
Expert Contributor

@GN_Exp

Can you pass below details -

1. Ranger install.properties

2. ranger ugsync install.properties

3. output of -
$ldapsearch -x -b "dc=example,dc=com" [replace example with your domain name]

avatar
Contributor

2. usersync-install.txt

3. ldapsearch -x -b "dc=hadoop,dc=apache,dc=org"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

avatar
Expert Contributor

@GN_Exp,

From the logs I see that ranger is able to connect to the ldap server but the server return 0 users and 0 groups. Can you run the following ldap search command:

ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(uid=*))" -W

enter admin password when prompted. If this returns all the entries from ou=people, then can you try the following ldap search command:

ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(uid=*))" -W

enter admin password when prompted. If this doesn't return any entries, then you can try disable "incremental sync" from ranger user info config. May be your ldap doesn't support modifyTimestamp attribute?

Hope this helps!

avatar
Expert Contributor

@spolavarapu Found this as a BUG - https://issues.apache.org/jira/browse/RANGER-1615?page=com.atlassian.jira.plugin.system.issuetabpane...

Can you confirm if this is fix in latest version of Ranger 0.7 ?

avatar
Expert Contributor
@Sagar Shimpi

This is not related as the issue here is even the users are not sync'd.

And about RANGER-1615, the way we retrieve the groups when incremental sync is enabled is different from when the incremental sync is disabled. For more details on the incremental sync design and implementation, please refer to https://issues.apache.org/jira/browse/RANGER-1211

avatar
Contributor
@spolavarapu

Thanks for the clarification. Can you please tell me how to disable default incremental sync. I am doing manual installation (not with Ambari). I am not sure which property I need to set for disabling incremental sync.

avatar
Expert Contributor

@GN_Exp,

In order to disable incremental sync following properties are to be set in ranger-ugsync-site.xml:

<property>
<name>ranger.usersync.ldap.deltasync</name>
<value>false</value>
</property> <property> <name>ranger.usersync.sink.impl.class</name> <value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value> </property>

avatar
Contributor

Thanks @spolavarapu. This worked for me.