Thanks for this, very helpful. "Create a group called R2Users inside that OU. I put all desired sync users as its members. Also, you can put other groups as its member." Ended up doing something similar as well.
On Wed, Dec 11, 2019 at 1:24 AM Antunes, Fernando De Souza < fernando.antu...@arcelormittal.com.br> wrote: > Reed, some ideas to help you. > > I’ve configured ranger using the following approach to control who must be > synced with AD. Only users belonging to groups inside a specific OU will be > synced. > > 1. I’ve created the OU OU=ArthurAmericasGroups,OU=Security > Groups,OU=Groups,OU=SHARED,OU=Brazil,DC=domain,DC=com > 2. Create a group called R2Users inside that OU. I put all desired > sync users as its members. Also, you can put other groups as its member. > And, you can create other groups like R2TEAM as well. Remember to update > this property ranger.usersync.ldap.user.searchfilter to include more > than one. > 3. I’ve configured ranger to sync groups before users. > > > > Here is the configuration. > > in COMMON CONFIGS > > *Label* > > *Property* > > *Value* > > LDAP/AD URL > > ranger.usersync.ldap.url > > ldap://myacticedirectoryserver.domain.com:389 > > Bind User > > ranger.usersync.ldap.binddn > > CN=LDAP_AD_ACCOUNT,OU=Service Accounts,OU=LCB,OU=Brazil,DC=domain,DC=com > > Bind User Password > > ranger.usersync.ldap.ldapbindpassword > > LDAP_AD_ACCOUNT user’s password > > Inclemetal Sync > > ranger.usersync.ldap.deltasync > > Yes > > Enable LDAP STARTTLS > > ranger.usersync.ldap.starttls > > No > > GROUP CONFIGS > > *Label* > > *Property* > > *Value* > > Enable Group Sync > > ranger.usersync.group.searchenable > > Yes > > Group Member Attribute > > ranger.usersync.group.memberattributename > > member > > Group Name Attribute > > ranger.usersync.group.nameattribute > > Cn > > Group Object Class > > ranger.usersync.group.objectclass > > Group > > Group Search Base > > ranger.usersync.group.searchbase > > OU=ArthurAmericasGroups,OU=Security > Groups,OU=Groups,OU=SHARED,OU=Brazil,DC=domain,DC=com > > Group Search Filter > > ranger.usersync.group.searchfilter > > Enable Group Search First > > ranger.usersync.group.search.first.enabled > > Yes > > Sync Nested Groups > > is_nested_groupsync_enabled > > Yes > > Group Hierarchy Levels > > ranger.usersync.ldap.grouphierarchylevels > > 5 > > USER CONFIGS > > *Label* > > *Property* > > *Value* > > Username Attribute > > ranger.usersync.ldap.user.nameatributte > > sAMAccountName > > User Object Class > > ranger.usersync.ldap.objectclass > > User > > User Search Base > > ranger.usersync.ldap.searchbase > > DC=domain,DC=com > > User Search Filter > > ranger.usersync.ldap.user.searchfilter > > (memberOf=CN=R2Users,OU=ArthurAmericasGroups,OU=Security > Groups,OU=Groups,OU=SHARED,OU=Brazil,DC=domain,DC=com) > > User Search Scope > > ranger.usersync.ldap.user.searchscope > > Sub > > User Group Name Attribute > > ranger.usersync.ldap.groupnameattribute > > sAMAccountName > > Group User Map Sync > > ranger.usersync.group.usermapsyncenabled > > Yes > > Enable User Search > > ranger.usersync.user.searchenabled > > Yes > > ADVANCED > > Ranger Settings > > *Label* > > *Property* > > *Value* > > Authentication method > > ACTIVE_DIRECTORY > > AD Settings > > *Label* > > *Property* > > *Value* > > AD Bind Password > > ranger.ldap.ad.bind.password > > LDAP_AD_ACCOUNT user’s password > > Domain Name (Only for AD) > > anger.ldap.ad.domain > > DC=domain,DC=com > > AD Base DN > > ranger.ldap.ad.base.dn > > DC=domain,DC=com > > AD Referreal > > ranger.ldap.ad.referreal > > Follow > > AD User Serach Filter > > ranger.ldap.ad.user.search > > (sAMAccountName={0}) > > Advanced ranger-ugsync-site > > *Label* > > *Property* > > *Value* > > ranger.usersync.ldap.referral > > ranger.usersync.ldap.referral > > Follow > > > > > > > > > > > > > > > > > > > > *From: *Reed Villanueva <rvillanu...@ucera.org> > *Date: *Monday, 9 December 2019 19:53 > *To: *user@ranger.apache.org <user@ranger.apache.org> > *Subject: *Re: LDAP/AD users not appearing in Ranger > > **This Message originated from a Non-ArcelorMittal source** > > Stil monitoring the problem, but appears to have been able to sync AD > users after changing the bing user path to: > > CN=hwldap,OU=Users,OU=HortonworksUsers,DC=ucera,DC=local > > as opposed to using the "uid" entry key. > IDK why this would make a difference, but seems to have worked. Would > anyone with more AD experience have an idea why (note that when I look at > the attributes for this entry in our AD both the CN and UID attributes are > present)? > > > > On Sun, Dec 8, 2019 at 8:02 PM Pradeep Agrawal < > pradeep.agra...@freestoneinfotech.com> wrote: > > Hi Reed, > > > > *1. From the below logs snippet looks like its an authentication issue: * > > 06 Dec 2019 14:21:51 ERROR LdapUserGroupBuilder [UnixUserSyncThread] - > LDAPUserGroupBuilder.getUsers() failed with exception: > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, > v2580]; remaining name 'dc=ucera,dc=local' > > > > *2. From the log its seems there is some config issue as well : * > > 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap:// > 172.18.4.42:389 > <https://urldefense.proofpoint.com/v2/url?u=http-3A__172.18.4.42-3A389_&d=DwMFaQ&c=y5LGzd1hT50ruE_IlUH7x8VGgWz9W0tFVWT6rSvPUKA&r=DG-yyggEeDDj0vPKrcPwzAPjq3r7k5xcx-lyRJMIzdUcgrfcgsklQfuqQSHxihJ_&m=eAjPJqVlrFgGxUDVHCM5wcRiffp7jW67jj4IfDJuxNE&s=6-75OxGxoG33HwdjajcazekRalFOSb7J2iGR9VShyuQ&e=>, > ldapBindDn: UID=hwldap,OU=Users,OU=HortonworksUsers,DC=ucera,DC=local, > ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, *searchBase: > dc=hadoop,dc=apache,dc=org*, userSearchBase: [dc=ucera,dc=local], > userSearchScope: 2, userObjectClass: user, userSearchFilter: > (memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local), > extendedUserSearchFilter: > (&(objectclass=user)(memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)), > userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName, > memberof], userGroupNameAttributeSet: [memberof], pagedResultsEnabled: > true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase: > [dc=ucera,dc=local], groupSearchScope: 2, groupObjectClass: group, > groupSearchFilter: (CN=hwusers), extendedGroupSearchFilter: > (&(objectclass=group)(CN=hwusers)(|(cn={0})(cn={1}))), > extendedAllGroupsSearchFilter: (&(objectclass=group)(CN=hwusers)), > groupMemberAttributeName: cn, groupNameAttribute: > UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local, > groupSearchAttributes: > [UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local, cn], > groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, > userSearchEnabled: false, ldapReferral: ignore > > > > *3. Are you able to connect to your AD from some other Ldap client tool > like jxplorer ?* > > > > > > On Sat, Dec 7, 2019 at 7:30 AM Reed Villanueva <rvillanu...@ucera.org> > wrote: > > Attempting to set LDAP/AD users for Ranger (v1.2.0) following the docs ( > https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/configuring-ranger-authe-with-unix-ldap-ad/con... > <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.cloudera.com_HDPDocuments_HDP3_HDP-2D3.1.4_configuring-2Dranger-2Dauthe-2Dwith-2Dunix-2Dldap-2Dad_content_configuring-5Franger-5Fauthentication-5Fwith-5Funix-5Fldap-5For-5Fad.html&d=DwMFaQ&c=y5LGzd1hT50ruE_IlUH7x8VGgWz9W0tFVWT6rSvPUKA&r=DG-yyggEeDDj0vPKrcPwzAPjq3r7k5xcx-lyRJMIzdUcgrfcgsklQfuqQSHxihJ_&m=eAjPJqVlrFgGxUDVHCM5wcRiffp7jW67jj4IfDJuxNE&s=wqwyt-BeFaJGvip0SyNG4fGiwVYZLSQC5AZsR7GvgAY&e=>) > and this older video (https://www.youtube.com/watch?v=2aZ9GBhCOhA > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3D2aZ9GBhCOhA&d=DwMFaQ&c=y5LGzd1hT50ruE_IlUH7x8VGgWz9W0tFVWT6rSvPUKA&r=DG-yyggEeDDj0vPKrcPwzAPjq3r7k5xcx-lyRJMIzdUcgrfcgsklQfuqQSHxihJ_&m=eAjPJqVlrFgGxUDVHCM5wcRiffp7jW67jj4IfDJuxNE&s=pqxNYiDChKhUsoLIkMUCejqiIWJUHTSklvY_4U19_Gk&e=>), > but when looking at the Ranger Users tab in the Ranger UI, seeing only the > original Unix users. In the UI I see... > > > > > > Looking at the usersync logs, near the tail I see: > > > > .... > > 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LdapUserGroupBuilder initialization started > 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap:// > 172.18.4.42:389 > <https://urldefense.proofpoint.com/v2/url?u=http-3A__172.18.4.42-3A389&d=DwMFaQ&c=y5LGzd1hT50ruE_IlUH7x8VGgWz9W0tFVWT6rSvPUKA&r=DG-yyggEeDDj0vPKrcPwzAPjq3r7k5xcx-lyRJMIzdUcgrfcgsklQfuqQSHxihJ_&m=eAjPJqVlrFgGxUDVHCM5wcRiffp7jW67jj4IfDJuxNE&s=r53ZWOB6E14VCOTvtF5TdaI7f-VlQcb1hGFGTKozxa0&e=>, > ldapBindDn: UID=hwldap,OU=Users,OU=HortonworksUsers,DC=ucera,DC=local, > ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: > dc=hadoop,dc=apache,dc=org, userSearchBase: [dc=ucera,dc=local], > userSearchScope: 2, userObjectClass: user, userSearchFilter: > (memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local), > extendedUserSearchFilter: > (&(objectclass=user)(memberOf=UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local)), > userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName, > memberof], userGroupNameAttributeSet: [memberof], pagedResultsEnabled: > true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase: > [dc=ucera,dc=local], groupSearchScope: 2, groupObjectClass: group, > groupSearchFilter: (CN=hwusers), extendedGroupSearchFilter: > (&(objectclass=group)(CN=hwusers)(|(cn={0})(cn={1}))), > extendedAllGroupsSearchFilter: (&(objectclass=group)(CN=hwusers)), > groupMemberAttributeName: cn, groupNameAttribute: > UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local, > groupSearchAttributes: > [UID=hwusers,OU=groups,OU=HortonworksUsers,DC=ucera,DC=local, cn], > groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, > userSearchEnabled: false, ldapReferral: ignore > 06 Dec 2019 14:21:51 INFO UserGroupSync [UnixUserSyncThread] - Begin: > initial load of user/group from source==>sink > 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LDAPUserGroupBuilder updateSink started > 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > Performing user search first > 06 Dec 2019 14:21:51 ERROR LdapUserGroupBuilder [UnixUserSyncThread] - > LDAPUserGroupBuilder.getUsers() failed with exception: > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, > v2580]; remaining name 'dc=ucera,dc=local' > 06 Dec 2019 14:21:51 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LDAPUserGroupBuilder.getUsers() user count: 0 > 06 Dec 2019 14:21:51 INFO UserGroupSync [UnixUserSyncThread] - End: > initial load of user/group from source==>sink > > .... > > > > So it seems like Ranger is trying to use AD, encountering an error, and > falling back to Unix based users. > > > > Did see this article ( > https://community.cloudera.com/t5/Community-Articles/Ranger-Ldap-Integration/ta-p/245494 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.cloudera.com_t5_Community-2DArticles_Ranger-2DLdap-2DIntegration_ta-2Dp_245494&d=DwMFaQ&c=y5LGzd1hT50ruE_IlUH7x8VGgWz9W0tFVWT6rSvPUKA&r=DG-yyggEeDDj0vPKrcPwzAPjq3r7k5xcx-lyRJMIzdUcgrfcgsklQfuqQSHxihJ_&m=eAjPJqVlrFgGxUDVHCM5wcRiffp7jW67jj4IfDJuxNE&s=knTTCtoFY6ktyMMBI7j4OtcDh8_xc5dj-Z0RjU_FHJ0&e=>), > but already have the cluster nodes linked to AD via SSSD, so would think > the LDAP/AD sync should already be configured on the nodes and that Ranger > should be able to use AD once the configs where entered. > > > > Any idea what is going on here? Any further debugging tips or information > (very unfamiliar with AD/LDAP admin stuff)? > > > This electronic message is intended only for the named > recipient, and may contain information that is confidential or > privileged. If you are not the intended recipient, you are > hereby notified that any disclosure, copying, distribution or > use of the contents of this message is strictly prohibited. If > you have received this message in error or are not the named > recipient, please notify us immediately by contacting the > sender at the electronic mail address noted above, and delete > and destroy all copies of this message. Thank you. > > > This electronic message is intended only for the named > recipient, and may contain information that is confidential or > privileged. If you are not the intended recipient, you are > hereby notified that any disclosure, copying, distribution or > use of the contents of this message is strictly prohibited. If > you have received this message in error or are not the named > recipient, please notify us immediately by contacting the > sender at the electronic mail address noted above, and delete > and destroy all copies of this message. Thank you. > > *AVISO LEGAL* > "As informações existentes nesta mensagem e nos arquivos anexados têm > caráter confidencial e são para uso restrito. A utilização, divulgação, > cópia ou distribuição desta mensagem, ou parte dela, por qualquer pessoa > diferente do destinatário é proibida, sujeitando o infrator às sanções > legais. Se esta mensagem foi recebida por engano, favor excluí-la e > informar ao remetente pelo endereço eletrônico acima. Agradecemos sua > cooperação." > > *DISCLAIMER* > "This email and its attachments may contain privileged and/or confidential > information. Use, disclosure, copying or distribution of this message, or > part thereof, by anyone other than the intended recipient is strictly > prohibited, and will submit the infractor to the legal sanctions. If you > have received this email in error, please notify the sender by reply email > and destroy all copies of this message. Thank you for your cooperation." > -- This electronic message is intended only for the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you.
