[
https://issues.apache.org/jira/browse/RANGER-1735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16484457#comment-16484457
]
Anant Aneja commented on RANGER-1735:
-------------------------------------
Looking at the design doc and the code, I'm unclear what will happen in this
scenario:
1. I have groups setup in my LDAP server as
Group1: user1
Group2: user2
Group3: user3
Group4: Group1, Group2, user4
2. Group Sync is enbaled and Group Search First is also enbaled
3. Group search filter is specified as : (|(CN=Group1)(CN=Group2)(CN=Group4))
Will Group3 be synced in this case ?
The design docs says : If nested group evaluation is enabled, then usersync
performs an ldap search on the groups that contain any of the *already
retrieved groups* as members.
Since Group3 isĀ *not* a part of the search filter, it will *not* be a part of
'already retrieved groups' and so Group3 and its users will not be synced ?
> Support representing nested group memberships in Ranger Admin
> -------------------------------------------------------------
>
> Key: RANGER-1735
> URL: https://issues.apache.org/jira/browse/RANGER-1735
> Project: Ranger
> Issue Type: New Feature
> Components: Ranger, usersync
> Affects Versions: 0.7.1
> Reporter: Sailaja Polavarapu
> Assignee: Sailaja Polavarapu
> Priority: Major
> Fix For: 1.0.0, 0.7.2
>
> Attachments:
> 0001-RANGER-1735-Support-representing-nested-group-member.patch, Ranger
> Usersync - Nested Group Support.docx
>
>
> Several large enterprises have their groups in LDAP/AD nested within other
> groups. Since Ranger user sync currently only pulls in the immediate group,
> it is possible that some nested memberships might not be available for policy
> authoring. Hadoop user-group mapping already supports nested LDAP/AD groups
> for policy enforcement at the Ranger plugin.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
