Hi, I have configured ranger with active directory(AD) and expect AD users to be synched. There is no user sync and I don't seem to know why this is the case. I have followed the configurations here and also the hortonworks documentation. By the way, I use HDP 2.4.3.
Did you follow this hortonworks documentation?
Also there is a nice write up on the same here.. https://community.hortonworks.com/articles/16696/ranger-ldap-integration.html
If you are still facing this issue, after following hte above steps, I would recommend to run the LDAP connection tool as specified below.
Reading ldap properties from input.properties ERROR: Failed to perfom ldap bind. Please verify values for ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580]
@Joshua Adeleke I guess the values set for the below properties are not correct. You can get the values of these properties from your LDAP server configuration.
ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword
The error code from the log snapshot suggests that the credentials tried to access the LDAP details are incorrect.
|49 / 52e||AD_INVALID CREDENTIALS||Indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. This is the AD equivalent of LDAP error code 49.|
Not sure if something more is missing here. @Deepak Sharma, do you have any pointers here?
Yes, I believe. The bind user was created as a service account with privileges to do AD search and sync. I will check with them again.
Please check if there are any errors in ranger usersync logs (generally located at /var/log/ranger/usersync/usersync.log). This can give you a clue on where the issue can be. There can be two possibilities for users not sync to ranger -
1. Failure to query AD/LDAP server. This failure can be seen in usersync logs or the usersync AD config is not returning any matching users/groups by AD server. This can further be analyzed using LDAP connection tool as specified by @Ayub Khan
2. Usersync module fails to update ranger admin/db with users/groups sync'd from AD. This will generally be logged in usersync logs and are generally self explanatory like usersync authorization failure with ranger, etc...
Hi @Ayub Khan @spolavarapu I confirmed that the bind user created has read rights to the active directory (AD). My expectation was that i could use ranger to control access to AD users in HDP and NiFi. If ranger has details of the AD users, then we can control the users that access what (say user a has access to some hive tables and only some columns). Also, we need this on NiFi as well.