Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

no usersync after configuring ranger with active directory

no usersync after configuring ranger with active directory

Expert Contributor

Hi, I have configured ranger with active directory(AD) and expect AD users to be synched. There is no user sync and I don't seem to know why this is the case. I have followed the configurations here and also the hortonworks documentation. By the way, I use HDP 2.4.3.

9 REPLIES 9

Re: no usersync after configuring ranger with active directory

@Joshua Adeleke

Did you follow this hortonworks documentation?

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_Install_Guide/content/ranger-user...

Also there is a nice write up on the same here.. https://community.hortonworks.com/articles/16696/ranger-ldap-integration.html

If you are still facing this issue, after following hte above steps, I would recommend to run the LDAP connection tool as specified below.

https://cwiki.apache.org/confluence/display/RANGER/LDAP+Connection+Check+Tool

Re: no usersync after configuring ranger with active directory

Expert Contributor

@Ayub Khan @spolavarapu I followed the hortonworks documentation. I have verified that the bind user and password details are ok. Please find below the error message

Reading ldap properties from input.properties
ERROR: Failed to perfom ldap bind. Please verify values for ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580]

Re: no usersync after configuring ranger with active directory

@Joshua Adeleke I guess the values set for the below properties are not correct. You can get the values of these properties from your LDAP server configuration.

ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword

Re: no usersync after configuring ranger with active directory

Expert Contributor

@Ayub Khan I tested the values of ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword by logging into a network folder and it was successful.

Highlighted

Re: no usersync after configuring ranger with active directory

The error code from the log snapshot suggests that the credentials tried to access the LDAP details are incorrect.

http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes#gsc.tab=0

49 / 52eAD_INVALID CREDENTIALSIndicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. This is the AD equivalent of LDAP error code 49.

Not sure if something more is missing here. @Deepak Sharma, do you have any pointers here?

Re: no usersync after configuring ranger with active directory

Expert Contributor

@Joshua Adeleke,

One quick question - are the bind credentials you are using have admin privileges to perform ldap search on the base domain or the user search base that you are using?

Re: no usersync after configuring ranger with active directory

Expert Contributor

Yes, I believe. The bind user was created as a service account with privileges to do AD search and sync. I will check with them again.

Re: no usersync after configuring ranger with active directory

Expert Contributor

@Joshua Adeleke

Please check if there are any errors in ranger usersync logs (generally located at /var/log/ranger/usersync/usersync.log). This can give you a clue on where the issue can be. There can be two possibilities for users not sync to ranger -

1. Failure to query AD/LDAP server. This failure can be seen in usersync logs or the usersync AD config is not returning any matching users/groups by AD server. This can further be analyzed using LDAP connection tool as specified by @Ayub Khan

2. Usersync module fails to update ranger admin/db with users/groups sync'd from AD. This will generally be logged in usersync logs and are generally self explanatory like usersync authorization failure with ranger, etc...

Re: no usersync after configuring ranger with active directory

Expert Contributor

Hi @Ayub Khan @spolavarapu I confirmed that the bind user created has read rights to the active directory (AD). My expectation was that i could use ranger to control access to AD users in HDP and NiFi. If ranger has details of the AD users, then we can control the users that access what (say user a has access to some hive tables and only some columns). Also, we need this on NiFi as well.

I also don't want users to login to Ranger UI but @Sagar Shimpi 's LDAP integration writeup says AD/LDAP users can login to ranger UI to test usersync.