Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Rangersync with LDAP : user lookup criteria

Labels:
avatar
author-rank houssam_manik
Contributor

Created ‎10-06-2016 11:04 AM

Hello

What criteria Ranger usses to look up for user in LDAP?

Which attribute (memberof, uniquemember) ?

1,746 Views
1 ACCEPTED SOLUTION

avatar
author-rank slachterman
Guru

Created ‎10-06-2016 03:43 PM

@Houssam Manik this is configurable within the Ranger User Sync configuration. In particular, the User Configs tab contains the User Group Name Attribute setting (which defaults to memberof,ismemberof) and the Group Configs tab contains the Group Filter settings (which defaults to uniqueMember={0}, where the substituted parameter is the full distinguished name of the user).

Please see this doc. The LDAP Connection Check Tool is helpful when configuring LDAP properties for Ranger User Sync.

View solution in original post

1,615 Views
0 Kudos
4 REPLIES 4

avatar
author-rank slachterman
Guru

Created ‎10-06-2016 03:43 PM

@Houssam Manik this is configurable within the Ranger User Sync configuration. In particular, the User Configs tab contains the User Group Name Attribute setting (which defaults to memberof,ismemberof) and the Group Configs tab contains the Group Filter settings (which defaults to uniqueMember={0}, where the substituted parameter is the full distinguished name of the user).

Please see this doc. The LDAP Connection Check Tool is helpful when configuring LDAP properties for Ranger User Sync.

1,616 Views
0 Kudos

avatar
author-rank houssam_manik
Contributor

Created ‎10-06-2016 08:37 PM

Thanks @slachterman

So by default we use memberof,ismemberof to get the user group. Can we set it to other value such as uniquemember ?

1,615 Views
0 Kudos

avatar
author-rank slachterman
Guru

Created ‎10-06-2016 08:52 PM

Yes, @Houssam Manik the values are configurable in the Ambari UI. Please accept this answer if it helps to address this question for you.

1,615 Views
0 Kudos

avatar
author-rank emaxwell author-rank
Guru

Created ‎10-08-2016 03:17 AM

@Houssam Manik

As @slachterman says, the LDAP attributes that map to a user's username, group membership, etc., are configurable. The reason for this is because an administrator can modify the directory schema, or the schema may have evolved over time. For Active Directory 2012, the default values you'll want to user are:

User Object Type: person
Username Attribute: sAMAccountName
Use Group Name Attribute: sAMAccountName
Group Member Attribute: member
Group Name Attribute: sAMAccountName
Group Object Class: group

For FreeIPA, these change to:

User Object Class: posixaccount
Username Attribute: uid
Use Group Name Attribute: memberOf
Group Member Attribute: member
Group Name Attribute: cn
Group Object Class: posixgroup

The base of the directory where Ranger starts to look for users and groups are specified by the User Search Base and Group Search Base parameters. For AD, you'd want to use something like:

User Search Base: CN=Users,DC=example,DC=com
Group Search Gase: CN=Groups,DC=example,DC=com

And for FreeIPA, something similar to:

User Search Base: cn=users,cn=accounts,dc=example,dc=com
Group Search Gase: cn=groups,cn=accounts,dc=example,dc=com

You can also specify search filters with syntax similar to:

(|(memberOf=hadoop-admins)(memberOf=hadoop-users))

Here is a guide to LDAP Search Filters for more information.

1,615 Views
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements