Support Questions
Find answers, ask questions, and share your expertise

can not login to ranger using LDAP or AD user after user sync

Explorer

Hi,

I have posted similar question earlier in the community regarding LDAP, for which got no acceptable answer.

Now I am facing similar issue with AD as well. So posting my question again.

Here is the link for my earlier question --

https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user...

In summary,

I am able to successfully perform the user/group sync with LDAP and AD for Ranger through HDP following the instructions in the documention -- https://community.hortonworks.com/articles/16696/ranger-ldap-integration.html

However, when I try to login to ranger UI using the LDAP user or an AD user (setup on 2 separate clusters), it fails saying "invalid user credentials." There is no other information or exception. In the audit log see the record of "wrong password" under login. However, validated that the user's password is correct by logging in as that user from console.

10 REPLIES 10

Re: can not login to ranger using LDAP or AD user after user sync

@Madhavi Amirneni

I will suggest to enable debug for ranger admin. Please change INFO to DEBUG in below file

/usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/log4j.xml

Restart ranger and try testing again.

Re: can not login to ranger using LDAP or AD user after user sync

Contributor

@Sagar Shimpi @Geoffrey Shelton Okot

Hi , I followed the same documentation and used openldap..i am able to see users in ranger and also i am able to login using ldap credentials but i am not able to see groups..can you please check...i posted the same question at

https://community.hortonworks.com/questions/84432/not-able-to-see-groups-in-in-apache-ranger-from-on...

Re: can not login to ranger using LDAP or AD user after user sync

Expert Contributor
@Madhavi Amirneni

What is the value set for ranger.ldap.ad.user.searchfilter if you are using AD or User Search Filter is you are using LDAP as authentication for ranger UI?

Re: can not login to ranger using LDAP or AD user after user sync

Explorer

@spolavarapu,

The value of

ranger.ldap.ad.user.searchfilter =

{{ranger_ug_ldap_user_searchfilter}}

ranger.usersync.ldap.user.searchfilter = blank

I did not fill in any value for the filter. Does the filter needs to be set for it to work?

Re: can not login to ranger using LDAP or AD user after user sync

Expert Contributor
@Madhavi Amirneni

It's fine if you don't set the value for ranger.usersync.ldap.user.searchfilter. This is used for syncing users from LDAP/AD and you don't see any issues syncing the users. But for authentication, we need to set to "sAMAccountName={0}" or "uid={0}" based on your AD setup. "{0}" indicates that the value is a variable and the login credentials are passed here. There is an RMP filed for this (RMP-6190) to improve the behavior.

Re: can not login to ranger using LDAP or AD user after user sync

Explorer

@spolavarapu,

Thank you for the explanation. However with the user search filter, can not log in to Ranger using the ids from LDAP/ AD.

I tried the following values for the

ranger.usersync.ldap.user.searchfilter to "sAMAccountName={0}" --> Did not work. Logs showed 0 users.

So had to set the value to be (sAMAccountName=*). With this value, got the list of the users, however the authentication still does not work to the Ranger UI. Keep getting the error "Bad Credentials" (from the logs).

Also, I am not doing Group sync, but that should affect the user authentication to Ranger, right?

Re: can not login to ranger using LDAP or AD user after user sync

Expert Contributor
@Madhavi Amirneni

Can you please set the value for ranger.ldap.ad.user.searchfilter as sAMAccountName={0} and set the value for property ranger.usersync.ldap.user.searchfilter as sAMAccountName=*

Please let me know if you want to have a quick webex call to help you with the configuration.

Re: can not login to ranger using LDAP or AD user after user sync

New Contributor

@spolavarapu

I also have same issue i'm not able to login to with ldap user after change ranger.usersync.ldap.user.searchfilter as sAMAccountName=* also

,

@spolavarapu

Hi I also have same issue I have change to ranger.usersync.ldap.user.searchfilte=sAMAccountName=* but still i'm not able to login to ranger UI with ldap user..

Santosh

Re: can not login to ranger using LDAP or AD user after user sync

Expert Contributor

@santosh nukala,

what is the value ranger.ldap.ad.user.searchfilter from ranger admin authentication configuration? Also, can you please check the value set for "ranger.ldap.ad.base.dn" and "ranger.ldap.ad.domain" properties?