Stil monitoring the problem, but appears to have been able to sync AD users
after changing the bing user path to:
CN=hwldap,OU=Users,OU=HortonworksUsers,DC=ucera,DC=local
as opposed to using the "uid" entry key.
IDK why this would make a difference, but seems to have worked. Would
anyone with more AD experience have an idea why (note that when I look at
the attributes for this entry in our AD both the CN and UID attributes are
present)?
On Sun, Dec 8, 2019 at 8:02 PM Pradeep Agrawal <
pradeep.agra...@freestoneinfotech.com> wrote:
> Hi Reed,
>
> *1. From the below logs snippet looks like its an authentication issue: *
> 06 Dec 2019 14:21:51 ERROR LdapUserGroupBuilder [UnixUserSyncThread] -
> LDAPUserGroupBuilder.getUsers() failed with exception:
> javax.naming.AuthenticationException:
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment:
> AcceptSecurityContext error, data 52e, v2580]; remaining name
> 'dc=ucera,dc=local'
>
> *2. From the log its seems there is some config issue as well : *
> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://
> 172.18.4.42:389, ldapBindDn: UID=hwldap,OU=Users,OU=
> HortonworksUsers,DC=ucera,DC=local, ldapBindPassword: ***** ,
> ldapAuthenticationMechanism: simple, *searchBase:
> dc=hadoop,dc=apache,dc=org*, userSearchBase: [dc=ucera,dc=local],
> userSearchScope: 2, userObjectClass: user, userSearchFilter:
> (memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local),
> extendedUserSearchFilter: (&(objectclass=user)(memberOf=
> UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)),
> userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName,
> memberof], userGroupNameAttributeSet: [memberof], pagedResultsEnabled:
> true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase:
> [dc=ucera,dc=local], groupSearchScope: 2, groupObjectClass: group,
> groupSearchFilter: (CN=hwusers), extendedGroupSearchFilter:
> (&(objectclass=group)(CN=hwusers)(|(cn={0})(cn={1}))),
> extendedAllGroupsSearchFilter: (&(objectclass=group)(CN=hwusers)),
> groupMemberAttributeName: cn, groupNameAttribute: UID=hwusers,OU=groups,OU=
> HortonworksUsers,DC=ucera,DC=local, groupSearchAttributes:
> [UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local, cn],
> groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false,
> userSearchEnabled: false, ldapReferral: ignore
>
> *3. Are you able to connect to your AD from some other Ldap client tool
> like jxplorer ?*
>
>
> On Sat, Dec 7, 2019 at 7:30 AM Reed Villanueva <rvillanu...@ucera.org>
> wrote:
>
>> Attempting to set LDAP/AD users for Ranger (v1.2.0) following the docs (
>> https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/configuring-ranger-authe-with-unix-ldap-ad/con...
>> <https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/configuring-ranger-authe-with-unix-ldap-ad/content/configuring_ranger_authentication_with_unix_ldap_or_ad.html>)
>> and this older video (https://www.youtube.com/watch?v=2aZ9GBhCOhA), but
>> when looking at the Ranger Users tab in the Ranger UI, seeing only the
>> original Unix users. In the UI I see...
>>
>>
>>
>> [image: Capture1.PNG]
>>
>> [image: Capture2.PNG]
>>
>> [image: Capture3.PNG]
>>
>>
>>
>> Looking at the usersync logs, near the tail I see:
>>
>>
>>
>> ....
>>
>> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LdapUserGroupBuilder initialization started
>> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://
>> 172.18.4.42:389, ldapBindDn:
>> UID=hwldap,OU=Users,OU=HortonworksUsers,DC=ucera,DC=local,
>> ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase:
>> dc=hadoop,dc=apache,dc=org, userSearchBase: [dc=ucera,dc=local],
>> userSearchScope: 2, userObjectClass: user, userSearchFilter:
>> (memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local),
>> extendedUserSearchFilter:
>> (&(objectclass=user)(memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)),
>> userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName,
>> memberof], userGroupNameAttributeSet: [memberof], pagedResultsEnabled:
>> true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase:
>> [dc=ucera,dc=local], groupSearchScope: 2, groupObjectClass: group,
>> groupSearchFilter: (CN=hwusers), extendedGroupSearchFilter:
>> (&(objectclass=group)(CN=hwusers)(|(cn={0})(cn={1}))),
>> extendedAllGroupsSearchFilter: (&(objectclass=group)(CN=hwusers)),
>> groupMemberAttributeName: cn, groupNameAttribute:
>> UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local,
>> groupSearchAttributes:
>> [UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local, cn],
>> groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false,
>> userSearchEnabled: false, ldapReferral: ignore
>> 06 Dec 2019 14:21:51 INFO UserGroupSync [UnixUserSyncThread] - Begin:
>> initial load of user/group from source==>sink
>> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LDAPUserGroupBuilder updateSink started
>> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> Performing user search first
>> 06 Dec 2019 14:21:51 ERROR LdapUserGroupBuilder [UnixUserSyncThread] -
>> LDAPUserGroupBuilder.getUsers() failed with exception:
>> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
>> LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e,
>> v2580]; remaining name 'dc=ucera,dc=local'
>> 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LDAPUserGroupBuilder.getUsers() user count: 0
>> 06 Dec 2019 14:21:51 INFO UserGroupSync [UnixUserSyncThread] - End:
>> initial load of user/group from source==>sink
>>
>> ....
>>
>>
>>
>> So it seems like Ranger is trying to use AD, encountering an error, and
>> falling back to Unix based users.
>>
>>
>>
>> Did see this article (
>> https://community.cloudera.com/t5/Community-Articles/Ranger-Ldap-Integration/ta-p/245494),
>> but already have the cluster nodes linked to AD via SSSD, so would think
>> the LDAP/AD sync should already be configured on the nodes and that Ranger
>> should be able to use AD once the configs where entered.
>>
>>
>>
>> Any idea what is going on here? Any further debugging tips or information
>> (very unfamiliar with AD/LDAP admin stuff)?
>>
>> This electronic message is intended only for the named
>> recipient, and may contain information that is confidential or
>> privileged. If you are not the intended recipient, you are
>> hereby notified that any disclosure, copying, distribution or
>> use of the contents of this message is strictly prohibited. If
>> you have received this message in error or are not the named
>> recipient, please notify us immediately by contacting the
>> sender at the electronic mail address noted above, and delete
>> and destroy all copies of this message. Thank you.
>>
>
--
This electronic message is intended only for the named
recipient, and may
contain information that is confidential or
privileged. If you are not the
intended recipient, you are
hereby notified that any disclosure, copying,
distribution or
use of the contents of this message is strictly
prohibited. If
you have received this message in error or are not the
named
recipient, please notify us immediately by contacting the
sender at
the electronic mail address noted above, and delete
and destroy all copies
of this message. Thank you.
