Hi Felipe, In the recent version (ranger-2.4) there are a lot of improvements made on usersync side to optimize the way we retrieve data from AD/LDAP and computing delta as well as ranger admin POST calls. Some of the related jiras are - RANGER-2986 <https://issues.apache.org/jira/browse/RANGER-2986> , RANGER-3659 <https://issues.apache.org/jira/browse/RANGER-3659>, RANGER-3403 <https://issues.apache.org/jira/browse/RANGER-3403> There are also new features added like RANGER-3630 <https://issues.apache.org/jira/browse/RANGER-3630>, RANGER-980 <https://issues.apache.org/jira/browse/RANGER-980>, RANGER-4154 <https://github.com/apache/ranger/commit/8e2d48f3ddcf32596bb55e811e238ce4e795cb6c> For Kerberos connections, there is a related jira that is fixed in ranger-2.1 release RANGER-2680 <https://issues.apache.org/jira/browse/RANGER-2680> Hope this helps.
Thanks, Sailaja. On Fri, Apr 14, 2023 at 3:34 PM Felipe Pereira <felmas...@gmail.com> wrote: > Hi, > > > > We use Ranger 1.2 usersync with Active Directory. We are getting a reset > connection error. During the trace we observed the following: > > > > - usersync sends the query to AD and receive the results in 1s; > - after that, it starts sending POSTs by user to Ranger; > - it takes more than 15 minutes doing that; > - AD LDAP sends a TCP reset 15min after last transfer – we think it’s > because of the MaxConnIdleTime AD parameter, which is 15min by default > - usersync outputs > > ERROR LdapDeltaUserGroupBuilder [UnixUserSyncThread] - > LdapDeltaUserGroupBuilder.getUsers() failed with exception: > javax.naming.CommunicationException: Connection reset [Root exception is > java.net.SocketException: Connection reset] > > - users are not updated correctly – it seems that this reset > interrupts the sync process between usersync <-> ranger (I see a lot > of DELETEs after the reset from usersync->ranger in the trace) > > > > We managed to work around this problem with a “LDAP proxy” that keeps > connection do AD alive. > > > Is this a bug that was fixed in later releases? > > > Is it normal usersync taking so much time to send user updates to ranger? > > > > As an aside, we noticed lots of Kerberos port 88 connections. For each > user being sent to Ranger, usersync sends it twice: the first time, it > does not send authentication header and access is unauthorized by Ranger; > then usersync talks to Kerberos; finally it manages to send user info to > Ranger with authorization header. Instead of getting a Kerberos token only > at the first time. Is this the normal behavior or did we miss something in > the configuration? > > > > regards, > -- > Felipe > > > -- > Felipe >
