Hi,
We use Ranger 1.2 usersync with Active Directory. We are getting a reset connection error. During the trace we observed the following: - usersync sends the query to AD and receive the results in 1s; - after that, it starts sending POSTs by user to Ranger; - it takes more than 15 minutes doing that; - AD LDAP sends a TCP reset 15min after last transfer – we think it’s because of the MaxConnIdleTime AD parameter, which is 15min by default - usersync outputs ERROR LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getUsers() failed with exception: javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset] - users are not updated correctly – it seems that this reset interrupts the sync process between usersync <-> ranger (I see a lot of DELETEs after the reset from usersync->ranger in the trace) We managed to work around this problem with a “LDAP proxy” that keeps connection do AD alive. Is this a bug that was fixed in later releases? Is it normal usersync taking so much time to send user updates to ranger? As an aside, we noticed lots of Kerberos port 88 connections. For each user being sent to Ranger, usersync sends it twice: the first time, it does not send authentication header and access is unauthorized by Ranger; then usersync talks to Kerberos; finally it manages to send user info to Ranger with authorization header. Instead of getting a Kerberos token only at the first time. Is this the normal behavior or did we miss something in the configuration? regards, -- Felipe -- Felipe
