Sorry typo / misspoke. What I meant was ldap-utils. I am using AD. From: Sailaja Polavarapu [mailto:[email protected]] Sent: Wednesday, April 19, 2017 4:49 PM To: [email protected] Subject: Re: usersync and Ranger UI Login
Hi Jon, You have OpenLDAP? I thought it is Active Directory). In Ranger for authentication AD and LDAP are treated differently. And the configuration properties are also different. As you can see from the documentation, we have two sections – one for "Configuring Ranger LDAP Authentication<https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authentication.html#configuring_ranger_ldap_authentication>” and the other for "Configuring Ranger Active Directory Authentication<https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authentication.html#configuring_ranger_active_directory_authentication>”. Can you please confirm which one you are using? And are you using ambari for managing ranger or manual install? From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, April 19, 2017 at 3:43 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login ranger.ldap.ad.base.dn is my domain, for example DC=example,DC=com I do have openLDAP installed and am able to verify that I am using the sAMAccountName via ldapsearch. From: Sailaja Polavarapu [mailto:[email protected]] Sent: Wednesday, April 19, 2017 4:33 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Can you also check what is the value assigned to “ranger.ldap.ad.base.dn”? And is the user logging in using sAMAccountName? From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, April 19, 2017 at 3:19 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login Yes, I did. I saw this: https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user.html ... and tried various settings for ranger.ldap.ad.user.searchfilter, with no luck. The recommended value from Ambari was “(sAMAccountName={0})”, which I just now tried The original value I had was “objectClass=user” I decided to play with it a bit more and tried a space “ “ as suggested by @Avijeet Dash in the aforementioned link, but that didn’t resolve the issue either. (I still receive “Wrong Password”) Thanks, Jon From: Kashif Khan [mailto:[email protected]] Sent: Wednesday, April 19, 2017 3:36 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Hi Jon, Did you setup Ranger Authentication to AD. Here is the doc with steps. https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authentication.html Thanks, Kashif On Wed, Apr 19, 2017 at 5:27 PM, Jon Morisi <[email protected]<mailto:[email protected]>> wrote: Hi, I’m currently running HDP-2.5.3.0 / Ranger – 0.6.0 and have Ranger Usersync setup and running with Active Directory. Is it possible for those AD users that come in from usersync to login to the Ranger Admin UI, or do I need to setup “internal” accounts for Ranger Admin UI access? The reason I ask is that I get “Wrong Password” messages in the Ranger Audit > Login Sessions when I try to login with my Active Directory account. (I modified my account to be an “Admin” Role following the initial import from usersync) Thanks, Jon -- Thanks, Kashif
