Since you are using ldaps, I am assuming the ssl handshake pass. Have you noticed any errors in ranger admin logs (xa_portal.log)? Can you enable debug level for ranger admin logs? And if possible, can you try strace (if using ldaps) or tcpdump (if using ldap)? The trace will tell exactly what the request sent and what response we are getting.
From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, April 20, 2017 at 8:26 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login That is successful. I used my Domain\sAMAccountName for the –D parameter of ldapsearch and received a successful query response from AD. ldapsearch -H ldaps://[myserver]:636 -x -D ‘Domain\sAMAccountName ' -W -b ‘[basedn]' -d 1 Thanks, Jon From: Sailaja Polavarapu [mailto:[email protected]] Sent: Wednesday, April 19, 2017 6:01 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Thanks for the clarification. One last question – with ldapsearch, have you tried using your samaccountname as bindDN (in the format DOMAIN\sAMAccountName)? In ranger we first search for the login user using admin bind credentials that are configured and then perform a bind with the login user credentials. Since you mentioned ldapsearch is already working, we can try using the login user as the bind user in the ldapsearch command. Hope this helps. Thanks, Sailaja. From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, April 19, 2017 at 4:02 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login And yes, Ambari. From: Jon Morisi Sent: Wednesday, April 19, 2017 4:55 PM To: [email protected]<mailto:[email protected]> Subject: RE: usersync and Ranger UI Login Sorry typo / misspoke. What I meant was ldap-utils. I am using AD. From: Sailaja Polavarapu [mailto:[email protected]] Sent: Wednesday, April 19, 2017 4:49 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Hi Jon, You have OpenLDAP? I thought it is Active Directory). In Ranger for authentication AD and LDAP are treated differently. And the configuration properties are also different. As you can see from the documentation, we have two sections – one for "Configuring Ranger LDAP Authentication<https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authentication.html#configuring_ranger_ldap_authentication>” and the other for "Configuring Ranger Active Directory Authentication<https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authentication.html#configuring_ranger_active_directory_authentication>”. Can you please confirm which one you are using? And are you using ambari for managing ranger or manual install? From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, April 19, 2017 at 3:43 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login ranger.ldap.ad.base.dn is my domain, for example DC=example,DC=com I do have openLDAP installed and am able to verify that I am using the sAMAccountName via ldapsearch. From: Sailaja Polavarapu [mailto:[email protected]] Sent: Wednesday, April 19, 2017 4:33 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Can you also check what is the value assigned to “ranger.ldap.ad.base.dn”? And is the user logging in using sAMAccountName? From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, April 19, 2017 at 3:19 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login Yes, I did. I saw this: https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user.html ... and tried various settings for ranger.ldap.ad.user.searchfilter, with no luck. The recommended value from Ambari was “(sAMAccountName={0})”, which I just now tried The original value I had was “objectClass=user” I decided to play with it a bit more and tried a space “ “ as suggested by @Avijeet Dash in the aforementioned link, but that didn’t resolve the issue either. (I still receive “Wrong Password”) Thanks, Jon From: Kashif Khan [mailto:[email protected]] Sent: Wednesday, April 19, 2017 3:36 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Hi Jon, Did you setup Ranger Authentication to AD. Here is the doc with steps. https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authentication.html Thanks, Kashif On Wed, Apr 19, 2017 at 5:27 PM, Jon Morisi <[email protected]<mailto:[email protected]>> wrote: Hi, I’m currently running HDP-2.5.3.0 / Ranger – 0.6.0 and have Ranger Usersync setup and running with Active Directory. Is it possible for those AD users that come in from usersync to login to the Ranger Admin UI, or do I need to setup “internal” accounts for Ranger Admin UI access? The reason I ask is that I get “Wrong Password” messages in the Ranger Audit > Login Sessions when I try to login with my Active Directory account. (I modified my account to be an “Admin” Role following the initial import from usersync) Thanks, Jon -- Thanks, Kashif
