On 22/02/2017 19:28, Sailaja Polavarapu wrote:
> Hi Nigel Jones,
> As part of incremental sync support for ranger, I was reading
through MS AD documentation for memberof attribute. According to the
documentation, it looks like memberof attribute value is not stored and
is always computed on-fly from the member attribute of the group.
> In OpenLdap case, the memberof attribute is not enabled by default as
part of the schema. It has to be enabled manually. As far as I know,
openLdap doesn’t maintain the back-link between the memberof attribute
of user and member/memberUid attribute of the group. It is up to the
admin to create these values while adding/updating the users and groups.
And the memberof attribute is stored in the schema and the value is
retrieved as is without any computation from group member attribute.
Thanks, it does look like I have a workable solution to go with (to be
verified of course)
* Get a list of roles that will participate in this environment (in fact
these will source from Apache Atlas as that stores some entity:role
associations in our case)
* Query ldap for the users in those role (ldap groups)
* Push as user/groups into ranger with a new "usersync" process
This preserves the current approach ranger takes with just a tweak to
the source of the user & role information ;-)
