Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Rangersync with LDAP : user lookup criteria

Solved Go to solution
Highlighted

Rangersync with LDAP : user lookup criteria

Hello

What criteria Ranger usses to look up for user in LDAP?

Which attribute (memberof, uniquemember) ?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Rangersync with LDAP : user lookup criteria

@Houssam Manik this is configurable within the Ranger User Sync configuration. In particular, the User Configs tab contains the User Group Name Attribute setting (which defaults to memberof,ismemberof) and the Group Configs tab contains the Group Filter settings (which defaults to uniqueMember={0}, where the substituted parameter is the full distinguished name of the user).

Please see this doc. The LDAP Connection Check Tool is helpful when configuring LDAP properties for Ranger User Sync.

View solution in original post

4 REPLIES 4
Highlighted

Re: Rangersync with LDAP : user lookup criteria

@Houssam Manik this is configurable within the Ranger User Sync configuration. In particular, the User Configs tab contains the User Group Name Attribute setting (which defaults to memberof,ismemberof) and the Group Configs tab contains the Group Filter settings (which defaults to uniqueMember={0}, where the substituted parameter is the full distinguished name of the user).

Please see this doc. The LDAP Connection Check Tool is helpful when configuring LDAP properties for Ranger User Sync.

View solution in original post

Highlighted

Re: Rangersync with LDAP : user lookup criteria

Thanks @slachterman

So by default we use memberof,ismemberof to get the user group. Can we set it to other value such as uniquemember ?

Highlighted

Re: Rangersync with LDAP : user lookup criteria

Yes, @Houssam Manik the values are configurable in the Ambari UI. Please accept this answer if it helps to address this question for you.

Re: Rangersync with LDAP : user lookup criteria

@Houssam Manik

As @slachterman says, the LDAP attributes that map to a user's username, group membership, etc., are configurable. The reason for this is because an administrator can modify the directory schema, or the schema may have evolved over time. For Active Directory 2012, the default values you'll want to user are:

User Object Type: person
Username Attribute: sAMAccountName
Use Group Name Attribute: sAMAccountName
Group Member Attribute: member
Group Name Attribute: sAMAccountName
Group Object Class: group

For FreeIPA, these change to:

User Object Class: posixaccount
Username Attribute: uid
Use Group Name Attribute: memberOf
Group Member Attribute: member
Group Name Attribute: cn
Group Object Class: posixgroup

The base of the directory where Ranger starts to look for users and groups are specified by the User Search Base and Group Search Base parameters. For AD, you'd want to use something like:

User Search Base: CN=Users,DC=example,DC=com
Group Search Gase: CN=Groups,DC=example,DC=com

And for FreeIPA, something similar to:

User Search Base: cn=users,cn=accounts,dc=example,dc=com
Group Search Gase: cn=groups,cn=accounts,dc=example,dc=com

You can also specify search filters with syntax similar to:

(|(memberOf=hadoop-admins)(memberOf=hadoop-users))

Here is a guide to LDAP Search Filters for more information.

Don't have an account?
Coming from Hortonworks? Activate your account here