Hi Sailaja,

Actually, the groups are not stored in the LDAP I'm querying (or at least I
can't access them), so I'm retrieving the groups using
the SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter, which I configured but
doesn't seem to work as I expected.
As a matter of fact, I'm successfully retrieving users from the LDAP with a
postOfficeBox field, but setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE =
postOfficeBox does not retrieve the value of the field to create a group.

Let me give you an example to clarify. From the LDAP I'm retrieving the
following user :

sn: DOE
postOfficeBox: 9001928
givenName: JOHN
displayName: DOE JOHN
memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
name: FOO123
mail: john....@blabla.com


The field I'm really interested in for group purposes is postOfficeBox. So
by setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox I expect
Usersync to create a group named "9001928" and add John Doe to that group,
but it doesn't work. Does Usersync only expect groups with LDAP structure
(like the memberOf line) ?
Thanks,


Loïc

Le jeu. 21 mars 2024 à 22:51, Sailaja Polavarapu <spolavar...@cloudera.com>
a écrit :

> Hi Loic,
>  I see that you have below config properties for group search. In this
> case the groups are retrieved from "dc=cmb,dc=blabla,dc=org"  search base.
> Can you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org"
> group is under the configured search base?
> groupSearchEnabled: true,  groupSearchBase: [dc=cmb,dc=blabla,dc=org],
>  groupSearchScope: 2,  groupObjectClass: groupofnames,
> May be if you provide usersync logs, that can help to analyze further
>
> Thanks,
> Sailaja.
>
> On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL <loic.cha...@telecomnancy.net>
> wrote:
>
>> Hi team,
>> Am I the only one experiencing this issue ?
>> Thanks,
>>
>> Loïc
>>
>>
>> Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL <loic.cha...@telecomnancy.net>
>> a écrit :
>>
>>> Hi guys,
>>>
>>> Since 2.4, LDAP information retrieval to create groups seems broken. My
>>> sync issues are solved for users, but I'm still unable to pull groups from
>>> LDAP. For instance, here are the information in the LDAP from my user :
>>> sn: CHANEL
>>> postOfficeBox: someValue
>>> givenName: LOIC
>>> displayName: CHANEL LOIC
>>> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
>>> name: LCH657
>>> mail: loic.cha...@telecomnancy.net
>>>
>>> Now here is my configuration on Ranger side :
>>>         <property>
>>>                 <name>ranger.usersync.ldap.user.groupnameattribute</name>
>>>                 <value>postOfficeBox,memberOf</value>
>>>         </property>
>>>
>>> And I can even see that the retrieval is going that way :
>>> 9 Feb 2024 12:16:56  INFO o.a.r.l.p.LdapUserGroupBuilder
>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with
>>> --  ldapUrl: ldap://cmb.blabla.org:389,  ldapBindDn:
>>> CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org,
>>>  ldapBindPassword: ***** ,  ldapAuthenticationMechanism: simple,
>>>  searchBase: dc=cmb,dc=blabla,dc=org,  userSearchBase:
>>> [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org],  userSearchScope: 2,
>>>  userObjectClass: organizationalPerson,  userSearchFilter:
>>> (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org),
>>>  extendedUserSearchFilter: null,  userNameAttribute: name,
>>>  userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf,
>>> modifytimestamp, objectid, userurincipaluame],  userGroupNameAttributeSet:
>>> [postOfficeBox, memberOf],  otherUserAttributes: [userurincipaluame],
>>>  pagedResultsEnabled: true,  pagedResultsSize: 500,  groupSearchEnabled:
>>> true,  groupSearchBase: [dc=cmb,dc=blabla,dc=org],  groupSearchScope: 2,
>>>  groupObjectClass: groupofnames,  groupSearchFilter: ,
>>>  extendedGroupSearchFilter: (&null(|(member={0})(member={1}))),
>>>  extendedAllGroupsSearchFilter: null,  groupMemberAttributeName: member,
>>>  groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname,
>>> member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true,
>>> userSearchEnabled: true,  ldapReferral: ignore
>>>
>>> But in Ranger, my user is created without any group. What am I missing ?
>>> Thanks,
>>>
>>>
>>> Loïc CHANEL
>>> Technical leader Big Data
>>> Capgemini (Lyon, France)
>>>
>>

Reply via email to