Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger usersync service not able to sync LDAP users and groups

Solved Go to solution
Highlighted

Ranger usersync service not able to sync LDAP users and groups

Explorer

I am configuring ldap in usersync install.properties file, attached here install.txt.

My user ldif file is attached here: users.txt

I am not able to see any errors in usersync logs:

2018 01:34:38 INFO UnixAuthenticationService [main] - Starting User Sync Service! 20 Feb 2018 01:34:38 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex 20 Feb 2018 01:34:38 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex 20 Feb 2018 01:34:38 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created 20 Feb 2018 01:34:38 INFO UserGroupSyncConfig [UnixUserSyncThread] - Sleep Time Between Cycle can not be lower than [3600000] millisec. resetting to min value. 20 Feb 2018 01:34:38 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder 20 Feb 2018 01:34:39 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex 20 Feb 2018 01:34:39 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization started 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization completed with -- ldapUrl: ldap://localhost:33389, ldapBindDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=hadoop,dc=apache,dc=org, userSearchBase: [ou=people,dc=hadoop,dc=apache,dc=org], userSearchScope: 2, userObjectClass: person, userSearchFilter: (uid=*), extendedUserSearchFilter: null, userNameAttribute: uid, userSearchAttributes: [uid, uSNChanged, modifytimestamp], userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [ou=groups,dc=hadoop,dc=apache,dc=org], groupSearchScope: 2, groupObjectClass: groupofnames, groupSearchFilter: (cn=*), extendedGroupSearchFilter: (&null(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, member, cn, modifytimestamp], groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(uid=*)) 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() completed with user count: 0 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedAllGroupsSearchFilter = (&(objectclass=groupofnames)(cn=*)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))) 20 Feb 2018 01:34:39 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getGroups() completed with group count: 0 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink 20 Feb 2018 01:34:39 INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service! 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello] 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1] 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1] 20 Feb 2018 01:34:43 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]I have configured ldap as sync_source in install.properties. I have attached the config file.

Still no user or group synching in ranger ui.

Please help!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Ranger usersync service not able to sync LDAP users and groups

Expert Contributor

@GN_Exp,

In order to disable incremental sync following properties are to be set in ranger-ugsync-site.xml:

<property>
<name>ranger.usersync.ldap.deltasync</name>
<value>false</value>
</property> <property> <name>ranger.usersync.sink.impl.class</name> <value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value> </property>

View solution in original post

8 REPLIES 8
Highlighted

Re: Ranger usersync service not able to sync LDAP users and groups

Expert Contributor

@GN_Exp

Can you pass below details -

1. Ranger install.properties

2. ranger ugsync install.properties

3. output of -
$ldapsearch -x -b "dc=example,dc=com" [replace example with your domain name]

Highlighted

Re: Ranger usersync service not able to sync LDAP users and groups

Explorer

1. admin-install.txt

2. usersync-install.txt

3. ldapsearch -x -b "dc=hadoop,dc=apache,dc=org"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Highlighted

Re: Ranger usersync service not able to sync LDAP users and groups

Expert Contributor

@GN_Exp,

From the logs I see that ranger is able to connect to the ldap server but the server return 0 users and 0 groups. Can you run the following ldap search command:

ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(uid=*))" -W

enter admin password when prompted. If this returns all the entries from ou=people, then can you try the following ldap search command:

ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(uid=*))" -W

enter admin password when prompted. If this doesn't return any entries, then you can try disable "incremental sync" from ranger user info config. May be your ldap doesn't support modifyTimestamp attribute?

Hope this helps!

Highlighted

Re: Ranger usersync service not able to sync LDAP users and groups

Expert Contributor

@spolavarapu Found this as a BUG - https://issues.apache.org/jira/browse/RANGER-1615?page=com.atlassian.jira.plugin.system.issuetabpane...

Can you confirm if this is fix in latest version of Ranger 0.7 ?

Highlighted

Re: Ranger usersync service not able to sync LDAP users and groups

Expert Contributor
@Sagar Shimpi

This is not related as the issue here is even the users are not sync'd.

And about RANGER-1615, the way we retrieve the groups when incremental sync is enabled is different from when the incremental sync is disabled. For more details on the incremental sync design and implementation, please refer to https://issues.apache.org/jira/browse/RANGER-1211

Highlighted

Re: Ranger usersync service not able to sync LDAP users and groups

Explorer
@spolavarapu

Thanks for the clarification. Can you please tell me how to disable default incremental sync. I am doing manual installation (not with Ambari). I am not sure which property I need to set for disabling incremental sync.

Highlighted

Re: Ranger usersync service not able to sync LDAP users and groups

Expert Contributor

@GN_Exp,

In order to disable incremental sync following properties are to be set in ranger-ugsync-site.xml:

<property>
<name>ranger.usersync.ldap.deltasync</name>
<value>false</value>
</property> <property> <name>ranger.usersync.sink.impl.class</name> <value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value> </property>

View solution in original post

Re: Ranger usersync service not able to sync LDAP users and groups

Explorer

Thanks @spolavarapu. This worked for me.

Don't have an account?
Coming from Hortonworks? Activate your account here