Hi Arun, I see that “SYNC_LDAP_USER_SEARCH_SCOPE” is mis-configured. The accepted values are “one”, “base”, or “sub”. Default value is “sub” which includes searching all the child objects in the search tree. “SYNC_LDAP_USER_SEARCH_FILTER” can be set to “cn=*” which mainly says that get all the users in a given search base.
Please note that many of the properties are highly dependent on the LDAP server that usersync is talking to and hence default values might not be the correct ones. For example: SYNC_LDAP_USER_OBJECT_CLASS --> default is person. But depending on the type of LDAP server this value might vary SYNC_GROUP_OBJECT_CLASS --> no default value. Depending on the type of LDAP server this value might vary and might be required for syncing groups SYNC_LDAP_USER_NAME_ATTRIBUTE --> default is cn. In case of AD this is recommended to be set to “sAMAccountName” or some attribute that contains unique value as the username. In OpenLdap case this can be set to “uid” . Note:- the username/groupname that is sync’d from LDAP server are used for authorization in ranger. Any Hadoop service that is using ranger should have matching username/groupname (case sensitive) to the one sync’d from LDAP server. Also, ranger usersync supports many ways of syncing users and groups from LDAP server. With this some of the properties need to be configured accordingly. Please refer to the link below for various options supported for configuring ranger usersync: https://community.hortonworks.com/content/kbentry/105623/various-options-supported-in-ranger-usersync-with.html Hope this helps. Thanks, Sailaja. From: arun kumar <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, August 23, 2017 at 7:35 AM To: "[email protected]" <[email protected]> Subject: User sync service throws InvalidAttributeException. Hi All I am trying to integrate usersync service with LDAP and it is throwing Invalid Attribute Exception. But the same configuration works on ldapsearch. Any insight is highly appreciated. Here is the configuration and the error log. When I running setup.sh no exception. but when I try to start the service I get this exception. Configuration: SYNC_SOURCE =ldap CRED_KEYSTORE_FILENAME=XXXXXX # SSL Authentication AUTH_SSL_ENABLED=false AUTH_SSL_KEYSTORE_FILE=XXXX AUTH_SSL_KEYSTORE_PASSWORD=xxxxxx #AUTH_SSL_TRUSTSTORE_FILE=xxxxxxxxxx AUTH_SSL_TRUSTSTORE_FILE=xxxxxxxx AUTH_SSL_TRUSTSTORE_PASSWORD=xxxxxxxxxxxx SYNC_LDAP_URL =ldaps://url:636 SYNC_LDAP_BIND_DN =cn=xxxxxxxxxx_xxxxxx,ou=xxxxxxxx,o=xxxxx-xxxx SYNC_LDAP_SEARCH_BASE =ou=people,o=xxxxx-xxxx SYNC_LDAP_USER_SEARCH_BASE= SYNC_LDAP_USER_SEARCH_SCOPE =cn=* SYNC_GROUP_SEARCH_BASE=ou=groups,o=xxxxx-xxxx All other configurations are default. Error Log: 22 Aug 2017 17:44:45 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 22 Aug 2017 17:44:45 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started 22 Aug 2017 17:44:45 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first 22 Aug 2017 17:44:45 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19691231060000Z))) 22 Aug 2017 17:44:45 ERROR LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() failed with exception: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - NDS error: syntax violation (-613)]; remaining name 'ou=people,o=xxx-xxxx' 22 Aug 2017 17:44:45 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() user count: 0 22 Aug 2017 17:44:45 INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink 22 Aug 2017 17:44:45 INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink 22 Aug 2017 17:44:48 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service! 22 Aug 2017 17:44:48 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello] 22 Aug 2017 17:44:48 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1] 22 Aug 2017 17:44:48 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1] 22 Aug 2017 17:44:48 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2] Thanks in advance!! Arunkumar
