If the performance of the LDAP server is ever become a bottleneck, I would rather see a dedicated/embedded LDAP server which is syncronized automatically from the main LDAP server. I guess, this could be more easily implemented than a complex partial synchronization/cache scenario.
Regards, Zsombor On Fri, Feb 10, 2017 at 8:11 PM, Sailaja Polavarapu < [email protected]> wrote: > Just want to add few more points inline... > > >> - what additional attributes are pulled > Currently we pull following attributes as part of ldap search: > For Users: username (like uid, samaccountname, etc…) and user group member > attribute (memberof, ismemberof, etc…) > For Groups: group member attribute (member, memberuid, etc…) and group > name attribute (cn, samaccountname, etc…) > > All these are configurable properties in usersync. > > Thanks, > Sailaja. > > > > > > On 2/10/17, 9:26 AM, "Nigel Jones" <[email protected]> wrote: > > >On 10/02/2017 17:07, Don Bosco Durai wrote: > > > > > 1. Ranger should have an option just to sync Group (without > >users). We should be already supporting it or there was an intention to > >support. If we are not doing it for any reason, I am a strong +1 for > >doing it. > >I'll experiment with this - only working off the docs so far, trying it > >out is next :-) > [Sailaja]: Currently we support syncing groups that don’t contain any > users. But if the group contains users (as part of member attribute), we > still sync those users. Ofcourse, you can tweak the user search > configuration in order to not sync users by providing an > invalid/non-matching user search filter. This is kind of dirty work around. > Same is the case with syncing just users and not groups. > I agree that it will be better if we can support syncing just users or > just groups for flexibility. > > > > > > 2. Direct LDAP would have been ideal, but we were worried about > >the load we might put on LDAP for real-time queries. Just FYI, Ranger > >uses LDAP/AD for authentication and easy selection of users/groups > >during policy create. For authentication, it is already real-time (even > >though I would have preferred to get the roles also in real-time). > >A fair concern, though at least it's only at connect time. The > >enterprise I spoke to didn't seem to think it was a concern. I'll start > >with option #1 though > [Sailaja]: Other main reason that we are syncing users/groups from LDAP > upfront is to make these available for configuring policies in ranger. > > > > > If you have a very high number of users/groups, then the short-term > >recommendation to is to apply LDAP filters and limit syncing users only > >to those using Hadoop. > >This will be extending outside hadoop - I'm trying to determine how to > >constrain the ldap query to the users using the relevant systems. I can > >potentially obtain a list of groups from elsewhere via a new usersync > >process, and then go back into ldap to query membership which would look > >the same to ranger, just modify that sync. > > > >Thanks for the info ! > > > >Nigel. > > > > >
