Attempting to set LDAP/AD users for Ranger (v1.2.0) following the docs (
https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/configuring-ranger-authe-with-unix-ldap-ad/con...
<https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/configuring-ranger-authe-with-unix-ldap-ad/content/configuring_ranger_authentication_with_unix_ldap_or_ad.html>)
and this older video (https://www.youtube.com/watch?v=2aZ9GBhCOhA), but
when looking at the Ranger Users tab in the Ranger UI, seeing only the
original Unix users. In the UI I see...
[image: Capture1.PNG]
[image: Capture2.PNG]
[image: Capture3.PNG]
Looking at the usersync logs, near the tail I see:
....
06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization started
06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://
172.18.4.42:389, ldapBindDn:
UID=hwldap,OU=Users,OU=HortonworksUsers,DC=ucera,DC=local,
ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase:
dc=hadoop,dc=apache,dc=org, userSearchBase: [dc=ucera,dc=local],
userSearchScope: 2, userObjectClass: user, userSearchFilter:
(memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local),
extendedUserSearchFilter:
(&(objectclass=user)(memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)),
userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName,
memberof], userGroupNameAttributeSet: [memberof], pagedResultsEnabled:
true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase:
[dc=ucera,dc=local], groupSearchScope: 2, groupObjectClass: group,
groupSearchFilter: (CN=hwusers), extendedGroupSearchFilter:
(&(objectclass=group)(CN=hwusers)(|(cn={0})(cn={1}))),
extendedAllGroupsSearchFilter: (&(objectclass=group)(CN=hwusers)),
groupMemberAttributeName: cn, groupNameAttribute:
UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local,
groupSearchAttributes:
[UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local, cn],
groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false,
userSearchEnabled: false, ldapReferral: ignore
06 Dec 2019 14:21:51 INFO UserGroupSync [UnixUserSyncThread] - Begin:
initial load of user/group from source==>sink
06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder updateSink started
06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
Performing user search first
06 Dec 2019 14:21:51 ERROR LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder.getUsers() failed with exception:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e,
v2580]; remaining name 'dc=ucera,dc=local'
06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder.getUsers() user count: 0
06 Dec 2019 14:21:51 INFO UserGroupSync [UnixUserSyncThread] - End: initial
load of user/group from source==>sink
....
So it seems like Ranger is trying to use AD, encountering an error, and
falling back to Unix based users.
Did see this article (
https://community.cloudera.com/t5/Community-Articles/Ranger-Ldap-Integration/ta-p/245494),
but already have the cluster nodes linked to AD via SSSD, so would think
the LDAP/AD sync should already be configured on the nodes and that Ranger
should be able to use AD once the configs where entered.
Any idea what is going on here? Any further debugging tips or information
(very unfamiliar with AD/LDAP admin stuff)?
--
This electronic message is intended only for the named
recipient, and may
contain information that is confidential or
privileged. If you are not the
intended recipient, you are
hereby notified that any disclosure, copying,
distribution or
use of the contents of this message is strictly
prohibited. If
you have received this message in error or are not the
named
recipient, please notify us immediately by contacting the
sender at
the electronic mail address noted above, and delete
and destroy all copies
of this message. Thank you.
