Hi Reed, Ranger Usersync has few properties to be configured in order to filter users to be sync'd to Ranger. User Search Base: This property specifies the OU(s) path where the users are located in AD. For your usecase it should be " OU=Users,OU=HortonworksUsers,DC=ucera,DC=local". Just an FYI, ranger usersync configuration supports specifying multiple OUs (with ";" separated) for user search base. User object class: For your case the value should be "person" User Search filter: This property can be used to further filter out specific users under the configured user search base. For your usecase, since you want to sync all the users under the configured user search base, you can configure the value to be something like "cn=*".
Please also take a look at this article for further explanation of some simple usecase: https://community.cloudera.com/t5/Community-Articles/Configuring-Ranger-Usersync-with-AD-LDAP-for-a-common/ta-p/245959 - Sailaja. On Tue, Dec 10, 2019 at 12:04 PM Reed Villanueva <rvillanu...@ucera.org> wrote: > What is the search filter syntax for "all users under the given OU DN"? > Looking at the docs here ( > https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx) > did not seem to answer this question (though am totally new to AD, so may > be here in another wording). > > Use case is that I have an AD path > "OU=Users,OU=HortonworksUsers,DC=ucera,DC=local" under which there are > several person entries (ie. thier attribute objectClass OID is > "top;person;organizationalPerson;user"). I would like to add them to a > search filter (for Apache Ranger AD usersync > <https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.1/configuring-ranger-authe-with-unix-ldap-ad/content/ranger_ad_integration_ranger_usersync.html>), > but have only seen examples of filtering for a specified group, ie. > "memberOf=". > > My current search filter, which does not work and in fact causes errors in > the usersync logs, looks like: > > (|(memberOf=CN=admins,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)("memberOf=CN=Domain > Admins,CN=Users,DC=ucera,DC=local") > (OU=Users,OU=HortonworksUsers,DC=ucera,DC=local) ) > > Note the last segment of the filter string. > > Can anyone with more AD experience let me know the right way to filter for > users under some arbitrary OU DN? Is it even possible (or do you have to > specify each user individually in this case)? > > This electronic message is intended only for the named > recipient, and may contain information that is confidential or > privileged. If you are not the intended recipient, you are > hereby notified that any disclosure, copying, distribution or > use of the contents of this message is strictly prohibited. If > you have received this message in error or are not the named > recipient, please notify us immediately by contacting the > sender at the electronic mail address noted above, and delete > and destroy all copies of this message. Thank you. >
