Member since
03-11-2016
36
Posts
1
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1536 | 10-06-2016 03:26 PM |
04-30-2021
01:28 AM
@vidanimegh ,i have changed referral to follow but still users not sync to Ranger also not able to find any error in the usersync.log. Please find below config parameters and request you to pleases suggest if anything needs to be correct. ldapUrl: ldaps://ad.HWX.COM:636, ldapBindDn: CN=user1,OU=bda,DC=HWX,DC=COM, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=hadoop,dc=apache,dc=org, userSearchBase: [OU=bda,DC=HWX,DC=COM], userSearchScope: 2, userObjectClass: user, userSearchFilter: ((memberof=OU=bda,DC=HWX,DC=COM)(memberof=CN=hdpadmin,OU=bda,DC=HWX,DC=COM)), extendedUserSearchFilter: (&(objectclass=user)((memberof=OU=bda,DC=HWX,DC=COM)(memberof=CN=hdpadmin,OU=bda,DC=HWX,DC=COM))), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName], userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [DC=HWX,DC=COM], groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: *, extendedGroupSearchFilter: (&(objectclass=group)(*)(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: (&(objectclass=group)(*)), groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [member, cn], groupUserMapSyncEnabled: false, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: follow
... View more
09-16-2020
03:27 PM
I believe this will fail if you stop your job today and run it tomorrow.. now will change to other day and you will miss the data...
... View more
04-09-2018
08:57 AM
@Geoffrey Shelton Okot ..Thanks for the update. It worked, also want to add one thing that one of my namenode port was occupied by previous running instance[java.net.BindException: Port in use: 0.0.0.0:50070]and the Ambari was not showing any message for that , so checked my namenode logs on the server itself. After killing the old PID and restart did the trick.
... View more
09-21-2017
08:51 PM
@Anwaar Siddiqui Great it works for you. Please accept the answer. You can't just upgrade one component in the stack. You have to consider moving to HDP-2.6.X latest version which has Knox 0.12. Hope this helps.
... View more
02-07-2018
06:19 AM
I had same problem "ranger can sync users with ldap but can't login to ranger UI with ldap password." Finally I could solved this problem, so, let me share lessons learned and how I solved to help you guys who has same problem as I faced. lessons learned 1. We have to configure ranger admin to speak ldaps protocol if we want to use ldaps for user authentication. paramaters in ranger-admin-site: ranger.truststore.file, ranger.truststore.password I had to import self-signed CA from LDAP team to "/etc/ranger/admin/conf/ranger-admin-keystore.jks". Set password which I specified for this import to "ranger.truststore.password". Command example: keytool -importcert -alias rangeradmin -noprompt -trustcacerts -file ./ca.crt -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -storepass xasecure ref: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_security/content/configure_non_ambari_ranger_ssl_self_signed_cert_admin.html 2. setting syncing user info with ldap and setting to use ldap for authentication are technically different. For example, we can use ldap authentication for ranger UI login even when we disable "Enable User Sync". In other words, we can use ldap authentication when "Ranger Usersync" service is not running. 3. debug logs from "org.springframework" and "org.apache.ranger" were very useful for the trouble shooting. We can change the log level with "admin-log4j.xml". log4j.category.org.springframework=debug,xa_log_appender log4j.category.org.apache.ranger=debug,xa_log_appender 4. Here are the key configurations for ldap authentication (not for user sync with ldap.) Authentication method: LDAP LDAP URL: ldaps://xxxxxx User Search Filter: (uid={0}) Group Search Filter: (member=uid={0},ou=xxxxx,o=xxxxx) ranger.ldap.user.dnpattern: uid={0},ou=xxxxx,o=xxxxx ranger.truststore.file: /etc/ranger/admin/conf/ranger-admin-keystore.jks <= in case with ldaps. ranger.truststore.password: xasecure <= in case with ldaps. this is the passwoed you set when you import ca to jks. I hope, this memo help guys who have same problem as I faced 🙂
... View more
11-03-2016
03:28 PM
2 Kudos
@Anwaar Siddiqui Anwaar, The myid file value has to match the list of zookeeper servers in the order they are listed in the state-management.xml file. For example in the state-management file, we list the zookeeper servers <property name="Connect String">daves-nifi-cluster-2:2181,daves-nifi-cluster-3:2181,daves-nifi-cluster-4:2181</property> so on server daves-nifi-cluster-2 the value in the myid file on that server would be 1 so on server daves-nifi-cluster-3 the value in the myid file on that server would be 2 so on server daves-nifi-cluster-4 the value in the myid file on that server would be 3 In HDF 2.0/NiFi 1.0 you need to create a state/zookeeper directory on the same level as the conf, not inside of conf, directory, make sure you put the myid file in that state/zookeeper directory
... View more
11-01-2016
01:17 PM
2 Kudos
@Anwaar Siddiqui With Nifi running as http (non-secure) there is no way to differentiate between users who access the UI. To NiFi everyone is the same anonymous user. Two or more people can still work on their own dataflows within a non-secured NiFi, but there is no way to prevent each user from modifying another users dataflow. Once NiFi is running as https (secured), some mechanism must be but in place to authenticate the users who will be accessing the canvas. Currently supported user authentication methods include TLS user certificates (default), LDAP, or kerberos. Through user authentication NiFi can now distinguish between users. After authentication comes authorization. Authorization is handled by NiFi (default) or Apache Ranger. This authorization layer is used to grant specific access policies to specific authenticated users. Things like controlled access to specific components (processors, process groups, controller services, etc.) are handled through this authorization. While every user still access the same canvas, this allows you to control what components can be seen and modified down to a specific user if desired. Thanks, Matt
... View more
10-06-2016
03:26 PM
@Krishna Pandey @Sagar Shimpi Its working now as my 389 port was blocked on my VM having LDAP running..Thanks.!!
... View more