Configuring Ranger Usersync with AD/LDAP is highly dependent on the customer environment. This requires understanding of the customer environment as well as the specific requirements for syncing users and groups.
In this article we will take a common use case and see how Ranger Usersync can be configured in that scenario. Ranger Usersync supports various configuration options with AD/LDAP and details are available here
Use case: Sync all the users who are members of a specific group(s)
This use case can be handled in multiple ways and is also based on the AD/LDAP attributes available in the server. In case of Active Directory, users contain information of the group(s) they belong to using the “memberof” attribute. Similarly groups contain information about the user(s) that belong to them using the “member” attribute. Whereas in default installation of openLdap server doesn’t contain “memberof” attribute for the user. So the only way to retrieve user that belong to a group is by using “member” attribute of the group.
Let’s take an example in Active directory where we want to sync all the users that belong to groups - “hdp_testing”, “hdp_admin”, or “dev_ops”
Above output shows all the available attributes for a user. Note:- Highlighted are the attributes that are interested for usersync configuration.
In this case user8 is a “memberof” 4 groups - hdp_testing, dev_ops, test_groups, and security_groups
As you can see, users from hdp_testing, dev_ops, or hdp_admins can be sync’d to ranger by performing
a user search using the “memberof” attribute in the user search filter -- User based search
a group search using the “member” attribute -- Group based search
Ranger Usersync configuration contains three sets of configuration:
Common Configs: Ldap Url and bind credentials
User Configs: Attributes related to user like sAMAccountName, OU(s) of the users, user search filter, memberof, etc…
Group Configs: Attributes related to group like sAMAccountName, OU(s) of the groups, group search filter, member, etc…
Following is the screenshot of the Common Configs properties configured for the above example:
Please note the following:
From HDP 2.6 onwards Ranger Usersync supports “Incremental Sync” and is enabled by default.
For clusters that are upgraded from older version to 2.6, “Incremental Sync” is disabled.
When “Incremental sync” is enabled, “Enable Group Sync” is set to “true” by default and the properties under “Group Configs” is mandatory.
Configuring Ranger Usersync for User based search:
Here Users are searched based on the attributes available from the user attribute and group information is available as part of the “memberof”. In this case two main parts that need to be configured in Ranger Usersync configuration are the properties under - “Common Configs” and “User Configs”. Optionally properties under “Group Configs” can be configured in cases where customers want to limit or filter the groups that these users belong to. As you can see in the above example, user8 belongs to 4 groups - hdp_testing, dev_ops, test_groups, and security_groups. But if we are interested only in groups hdp_testing and dev_ops, then “Group Configs” properties can be set accordingly.
Following are the screenshots of User Configs and Group Configs properties configured for the above example with User based search:
Configuring Ranger Usersync for Group based search:
In this case Ranger Usersync performs group search first based on the group configuration. Here users are searched based on the attributes available from the group attributes and user information is available as part of the “member”. In this case two main parts that need to be configured in Ranger Usersync configuration are the properties under - “Common Configs” and “Group Configs”. Optionally properties under “User Configs” can be configured in cases where customers want to limit or filter the users that belong to these groups.
Following are the screenshots of Group Configs, and User Configs properties configured for the above example with Group based search:
Note:- “Enable Group First Search” must be set to “true” in order to perform Group based search.
Please note the following:
“Enable User Search” is set to false by default.
When “Enable User Search” is set to “false”
none of the properties under “User Configs” will be used by Ranger Usersync
Users are sync’d using group’s member attribute which in many cases contains CN (Firstname Lastname) of the user.
In order to sync users using sAMAccountName, then “Enable User Search” must be set to “true” and “Username Attribute” must be set to “sAMAccountName”.
Note:- With “Enable User Search” set to true, it is still required to set all other user configs appropriately like the user search base and user object class. User search filter can be set to “sAMAccountName=*”