If they can create an user with the lowest privilege, then it will be great.
Thanks Bosco On 3/20/17, 2:37 AM, "Loïc Chanel" <[email protected]> wrote: Bosco, Mugdha, thanks for your inputs. I know this is not recommended, but as the LDAP is in a private network and we just pull the username and groups associated to it, this is not much of a security issue from our point of view. But if Ranger does not support it anymore, I'll ask my security team if it is possible to create a technical user whose only role will be to read into the LDAP like an anonymous user. Thanks, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2017-03-17 22:37 GMT+01:00 Don Bosco Durai <[email protected]>: > Mugdha, thanks for clarifying. > > > > Loïc, anonymous bind is generally not recommended due to security issues. > Is it possible for you create a lookup/bind user? > > > > Thanks > > > > Bosco > > > > > > *From: *Mugdha Varadkar <[email protected]> > *Reply-To: *<[email protected]> > *Date: *Friday, March 17, 2017 at 5:12 AM > *To: *<[email protected]> > *Cc: *<[email protected]> > *Subject: *Re: UserSync with anonymous bind > > > > Hi, > > > > Anonymous bind is just a property available on Ambari UI to toggle "Bind > User Password" property. The property is not persisted in any xml config > files. Ranger doesn't support LDAP sync with Anonymous bind DN. The > property was added in Ambari-2.2.0 to recommend the same LDAP instance used > by Ambari using Anonymous bind LDAP server. > > In Ambari-2.5.0 with stack 2.6, Anonymous bind property won't be > available. > Here is the Apache jira: https://issues.apache.org/ > jira/browse/AMBARI-19437 > > > > Thanks, > Mugdha Varadkar > > > > On Fri, Mar 17, 2017 at 5:23 AM, Don Bosco Durai <[email protected]> wrote: > > Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the > Ambari stack for Ranger should be able to give more insights. > > > > Bosco > > > > > > From: Loïc Chanel <[email protected]> > Reply-To: <[email protected]> > Date: Thursday, March 16, 2017 at 7:51 AM > To: <[email protected]> > Subject: UserSync with anonymous bind > > > > Hi fellow Ranger users, > > > > As I was working on user synchronization from a LDAP with anonymous bind > to populate Ranger, I met the same issue as I did almost two years ago : > even if I provide Ambari with the property "Anonymous bind", the property > is ignored and either Ambari complains that I didn't provided Ranger with a > password for LDAP bind, or Ranger UserSync doesn't work because of bad > credentials when binding the LDAP. Even more mysterious is the fact that > the property cannot be found in the XML properties files. > > > > At the time I first needed this, I used a manual setting I described in > that documentation ( https://cwiki.apache.org/confluence/display/RANGER/ > Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed > (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore. > > > > Did someone met the same issue ? Is there a workaround/patch ? > > Thanks for your help, > > > > > > Loïc > > > Loïc CHANEL > System Big Data engineer > MS&T - WASABI - Worldline (Villeurbanne, France) > > >
