Hi Reed,
*1. From the below logs snippet looks like its an authentication issue: *
06 Dec 2019 14:21:51 ERROR LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder.getUsers() failed with exception:
javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment:
AcceptSecurityContext error, data 52e, v2580]; remaining name
'dc=ucera,dc=local'
*2. From the log its seems there is some config issue as well : *
06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://
172.18.4.42:389, ldapBindDn: UID=hwldap,OU=Users,OU=
HortonworksUsers,DC=ucera,DC=local, ldapBindPassword: ***** ,
ldapAuthenticationMechanism: simple, *searchBase:
dc=hadoop,dc=apache,dc=org*, userSearchBase: [dc=ucera,dc=local],
userSearchScope: 2, userObjectClass: user, userSearchFilter:
(memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local),
extendedUserSearchFilter: (&(objectclass=user)(memberOf=
UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)),
userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName,
memberof], userGroupNameAttributeSet: [memberof], pagedResultsEnabled:
true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase:
[dc=ucera,dc=local], groupSearchScope: 2, groupObjectClass: group,
groupSearchFilter: (CN=hwusers), extendedGroupSearchFilter:
(&(objectclass=group)(CN=hwusers)(|(cn={0})(cn={1}))),
extendedAllGroupsSearchFilter: (&(objectclass=group)(CN=hwusers)),
groupMemberAttributeName: cn, groupNameAttribute: UID=hwusers,OU=groups,OU=
HortonworksUsers,DC=ucera,DC=local, groupSearchAttributes:
[UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local, cn],
groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false,
userSearchEnabled: false, ldapReferral: ignore
*3. Are you able to connect to your AD from some other Ldap client tool
like jxplorer ?*
On Sat, Dec 7, 2019 at 7:30 AM Reed Villanueva <rvillanu...@ucera.org>
wrote:
> Attempting to set LDAP/AD users for Ranger (v1.2.0) following the docs (
> https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/configuring-ranger-authe-with-unix-ldap-ad/con...
> <https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/configuring-ranger-authe-with-unix-ldap-ad/content/configuring_ranger_authentication_with_unix_ldap_or_ad.html>)
> and this older video (https://www.youtube.com/watch?v=2aZ9GBhCOhA), but
> when looking at the Ranger Users tab in the Ranger UI, seeing only the
> original Unix users. In the UI I see...
>
>
>
> [image: Capture1.PNG]
>
> [image: Capture2.PNG]
>
> [image: Capture3.PNG]
>
>
>
> Looking at the usersync logs, near the tail I see:
>
>
>
> ....
>
> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LdapUserGroupBuilder initialization started
> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://
> 172.18.4.42:389, ldapBindDn:
> UID=hwldap,OU=Users,OU=HortonworksUsers,DC=ucera,DC=local,
> ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase:
> dc=hadoop,dc=apache,dc=org, userSearchBase: [dc=ucera,dc=local],
> userSearchScope: 2, userObjectClass: user, userSearchFilter:
> (memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local),
> extendedUserSearchFilter:
> (&(objectclass=user)(memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)),
> userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName,
> memberof], userGroupNameAttributeSet: [memberof], pagedResultsEnabled:
> true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase:
> [dc=ucera,dc=local], groupSearchScope: 2, groupObjectClass: group,
> groupSearchFilter: (CN=hwusers), extendedGroupSearchFilter:
> (&(objectclass=group)(CN=hwusers)(|(cn={0})(cn={1}))),
> extendedAllGroupsSearchFilter: (&(objectclass=group)(CN=hwusers)),
> groupMemberAttributeName: cn, groupNameAttribute:
> UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local,
> groupSearchAttributes:
> [UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local, cn],
> groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false,
> userSearchEnabled: false, ldapReferral: ignore
> 06 Dec 2019 14:21:51 INFO UserGroupSync [UnixUserSyncThread] - Begin:
> initial load of user/group from source==>sink
> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LDAPUserGroupBuilder updateSink started
> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> Performing user search first
> 06 Dec 2019 14:21:51 ERROR LdapUserGroupBuilder [UnixUserSyncThread] -
> LDAPUserGroupBuilder.getUsers() failed with exception:
> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
> LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e,
> v2580]; remaining name 'dc=ucera,dc=local'
> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LDAPUserGroupBuilder.getUsers() user count: 0
> 06 Dec 2019 14:21:51 INFO UserGroupSync [UnixUserSyncThread] - End:
> initial load of user/group from source==>sink
>
> ....
>
>
>
> So it seems like Ranger is trying to use AD, encountering an error, and
> falling back to Unix based users.
>
>
>
> Did see this article (
> https://community.cloudera.com/t5/Community-Articles/Ranger-Ldap-Integration/ta-p/245494),
> but already have the cluster nodes linked to AD via SSSD, so would think
> the LDAP/AD sync should already be configured on the nodes and that Ranger
> should be able to use AD once the configs where entered.
>
>
>
> Any idea what is going on here? Any further debugging tips or information
> (very unfamiliar with AD/LDAP admin stuff)?
>
> This electronic message is intended only for the named
> recipient, and may contain information that is confidential or
> privileged. If you are not the intended recipient, you are
> hereby notified that any disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If
> you have received this message in error or are not the named
> recipient, please notify us immediately by contacting the
> sender at the electronic mail address noted above, and delete
> and destroy all copies of this message. Thank you.
>
