Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Rangersync with LDAP : user lookup criteria

Hello

What criteria Ranger usses to look up for user in LDAP?

Which attribute (memberof, uniquemember) ?

1 ACCEPTED SOLUTION

@Houssam Manik this is configurable within the Ranger User Sync configuration. In particular, the User Configs tab contains the User Group Name Attribute setting (which defaults to memberof,ismemberof) and the Group Configs tab contains the Group Filter settings (which defaults to uniqueMember={0}, where the substituted parameter is the full distinguished name of the user).

Please see this doc. The LDAP Connection Check Tool is helpful when configuring LDAP properties for Ranger User Sync.

View solution in original post

4 REPLIES 4

@Houssam Manik this is configurable within the Ranger User Sync configuration. In particular, the User Configs tab contains the User Group Name Attribute setting (which defaults to memberof,ismemberof) and the Group Configs tab contains the Group Filter settings (which defaults to uniqueMember={0}, where the substituted parameter is the full distinguished name of the user).

Please see this doc. The LDAP Connection Check Tool is helpful when configuring LDAP properties for Ranger User Sync.

Thanks @slachterman

So by default we use memberof,ismemberof to get the user group. Can we set it to other value such as uniquemember ?

Yes, @Houssam Manik the values are configurable in the Ambari UI. Please accept this answer if it helps to address this question for you.

@Houssam Manik

As @slachterman says, the LDAP attributes that map to a user's username, group membership, etc., are configurable. The reason for this is because an administrator can modify the directory schema, or the schema may have evolved over time. For Active Directory 2012, the default values you'll want to user are:

User Object Type: person
Username Attribute: sAMAccountName
Use Group Name Attribute: sAMAccountName
Group Member Attribute: member
Group Name Attribute: sAMAccountName
Group Object Class: group

For FreeIPA, these change to:

User Object Class: posixaccount
Username Attribute: uid
Use Group Name Attribute: memberOf
Group Member Attribute: member
Group Name Attribute: cn
Group Object Class: posixgroup

The base of the directory where Ranger starts to look for users and groups are specified by the User Search Base and Group Search Base parameters. For AD, you'd want to use something like:

User Search Base: CN=Users,DC=example,DC=com
Group Search Gase: CN=Groups,DC=example,DC=com

And for FreeIPA, something similar to:

User Search Base: cn=users,cn=accounts,dc=example,dc=com
Group Search Gase: cn=groups,cn=accounts,dc=example,dc=com

You can also specify search filters with syntax similar to:

(|(memberOf=hadoop-admins)(memberOf=hadoop-users))

Here is a guide to LDAP Search Filters for more information.