Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Please see the Cloudera blog for information on the Cloudera Response to CVE-2021-4428

Usersearch filter in case of multiple OU's

Cloudera Employee

As per https://cwiki.apache.org/confluence/display/RANGER/Multiple+OU+Ldap+Search+support+for+UserSync, we can configure multiple OU's, by delimiting ranger.usersync.ldap.user.searchbase with ";". In that case, what should be the user search filter? Does it need to be a search filter with an ldap OR query with all the groups?

1 ACCEPTED SOLUTION

Accepted Solutions

Expert Contributor

@skothari,

User/group search filter is just to narrow down the search further. For example you have configured multiple OUs say ou1 and ou2 and you want only users from those two OUs with the username that start with hadoop, then you want to configured user search filter as cn=hadoop*

Even in case of multiple OU support, we have two options for syncing groups -

1. option to get all the groups that the users belong to. This can be done by disable group sync and configure "memberof , ismemberof" for UserGroupNameAttribute.

2. option to sync groups that the users belong to but only from few OUs and with group search filter. For option 2 - one example can be as follows -

You configured OU1 and OU2 for user search base with user search filter as cn = hadoop*. In this user search say you have 3 users hadoopadmin, hadoopuser1, hadoopuser2. hadoopadmin belongs to groups admingrp (from adminOU), usergrp (from userOU), hadoopadmingrp (from adminOU), hadoopusergrp(from userOU). hadoopuser1 and hadoopuser2 belong for goups usergrp and hadoopusergrp. In this case, you want to sync only the groups that have group names starting with hadoop from userOU and adminOU. Then you would configure group search base to userOU;adminOU and configure group search filter as cn=hadoop*

In this scenario, if group sync is disabled (option#1), then all four groups (admingrp, usergrp, hadoopadmingrp, hadoopusergrp) will be sync'd irrespective of OU.

View solution in original post

2 REPLIES 2

Expert Contributor

@skothari,

User/group search filter is just to narrow down the search further. For example you have configured multiple OUs say ou1 and ou2 and you want only users from those two OUs with the username that start with hadoop, then you want to configured user search filter as cn=hadoop*

Even in case of multiple OU support, we have two options for syncing groups -

1. option to get all the groups that the users belong to. This can be done by disable group sync and configure "memberof , ismemberof" for UserGroupNameAttribute.

2. option to sync groups that the users belong to but only from few OUs and with group search filter. For option 2 - one example can be as follows -

You configured OU1 and OU2 for user search base with user search filter as cn = hadoop*. In this user search say you have 3 users hadoopadmin, hadoopuser1, hadoopuser2. hadoopadmin belongs to groups admingrp (from adminOU), usergrp (from userOU), hadoopadmingrp (from adminOU), hadoopusergrp(from userOU). hadoopuser1 and hadoopuser2 belong for goups usergrp and hadoopusergrp. In this case, you want to sync only the groups that have group names starting with hadoop from userOU and adminOU. Then you would configure group search base to userOU;adminOU and configure group search filter as cn=hadoop*

In this scenario, if group sync is disabled (option#1), then all four groups (admingrp, usergrp, hadoopadmingrp, hadoopusergrp) will be sync'd irrespective of OU.

View solution in original post

The user search filter can be anything you would like to filter on further within the OUs or you can just leave it to a default setting like forexample in AD Samaccountname=* or Samaccountname={0} or in the case of openldap cn=* or cn={0}