Bosco, Mugdha, thanks for your inputs.

I know this is not recommended, but as the LDAP is in a private network and
we just pull the username and groups associated to it, this is not much of
a security issue from our point of view.

But if Ranger does not support it anymore, I'll ask my security team if it
is possible to create a technical user whose only role will be to read into
the LDAP like an anonymous user.

Thanks,


Loïc

Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)

2017-03-17 22:37 GMT+01:00 Don Bosco Durai <bo...@apache.org>:

> Mugdha, thanks for clarifying.
>
>
>
> Loïc, anonymous bind is generally not recommended due to security issues.
> Is it possible for you create a lookup/bind user?
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> *From: *Mugdha Varadkar <mugdha.varadkar...@gmail.com>
> *Reply-To: *<user@ranger.apache.org>
> *Date: *Friday, March 17, 2017 at 5:12 AM
> *To: *<user@ranger.apache.org>
> *Cc: *<d...@ambari.apache.org>
> *Subject: *Re: UserSync with anonymous bind
>
>
>
> Hi,
>
>
>
> Anonymous bind is just a property available on Ambari UI to toggle "Bind
> User Password" property. The property is not persisted in any xml config
> files. Ranger doesn't support LDAP sync with Anonymous bind DN. The
> property was added in Ambari-2.2.0 to recommend the same LDAP instance used
> by Ambari using Anonymous bind LDAP server.
>
> In Ambari-2.5.0 with stack 2.6, Anonymous bind property won't be
> available.
> Here is the Apache jira: https://issues.apache.org/
> jira/browse/AMBARI-19437
>
>
>
> Thanks,
> Mugdha Varadkar
>
>
>
> On Fri, Mar 17, 2017 at 5:23 AM, Don Bosco Durai <bo...@apache.org> wrote:
>
> Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the
> Ambari stack for Ranger should be able to give more insights.
>
>
>
> Bosco
>
>
>
>
>
> From: Loïc Chanel <loic.cha...@telecomnancy.net>
> Reply-To: <user@ranger.apache.org>
> Date: Thursday, March 16, 2017 at 7:51 AM
> To: <u...@ranger.incubator.apache.org>
> Subject: UserSync with anonymous bind
>
>
>
> Hi fellow Ranger users,
>
>
>
> As I was working on user synchronization from a LDAP with anonymous bind
> to populate Ranger, I met the same issue as I did almost two years ago :
> even if I provide Ambari with the property "Anonymous bind", the property
> is ignored and either Ambari complains that I didn't provided Ranger with a
> password for LDAP bind, or Ranger UserSync doesn't work because of bad
> credentials when binding the LDAP. Even more mysterious is the fact that
> the property cannot be found in the XML properties files.
>
>
>
> At the time I first needed this, I used a manual setting I described in
> that documentation ( https://cwiki.apache.org/confluence/display/RANGER/
> Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed
> (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore.
>
>
>
> Did someone met the same issue ? Is there a workaround/patch ?
>
> Thanks for your help,
>
>
>
>
>
> Loïc
>
>
> Loïc CHANEL
> System Big Data engineer
> MS&T - WASABI - Worldline (Villeurbanne, France)
>
>
>

Reply via email to