Oh ok. In this case can you try setting ranger.usersync.group.searchenabled to false?
On Fri, Mar 22, 2024 at 1:27 AM Loïc CHANEL <[email protected]> wrote: > Hi Sailaja, > > Actually, the groups are not stored in the LDAP I'm querying (or at least > I can't access them), so I'm retrieving the groups using > the SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter, which I configured but > doesn't seem to work as I expected. > As a matter of fact, I'm successfully retrieving users from the LDAP with > a postOfficeBox field, but setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = > postOfficeBox does not retrieve the value of the field to create a group. > > Let me give you an example to clarify. From the LDAP I'm retrieving the > following user : > > sn: DOE > postOfficeBox: 9001928 > givenName: JOHN > displayName: DOE JOHN > memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org > name: FOO123 > mail: [email protected] > > > The field I'm really interested in for group purposes is postOfficeBox. So > by setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox I expect > Usersync to create a group named "9001928" and add John Doe to that group, > but it doesn't work. Does Usersync only expect groups with LDAP structure > (like the memberOf line) ? > Thanks, > > > Loïc > > Le jeu. 21 mars 2024 à 22:51, Sailaja Polavarapu <[email protected]> > a écrit : > >> Hi Loic, >> I see that you have below config properties for group search. In this >> case the groups are retrieved from "dc=cmb,dc=blabla,dc=org" search base. >> Can you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org" >> group is under the configured search base? >> groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], >> groupSearchScope: 2, groupObjectClass: groupofnames, >> May be if you provide usersync logs, that can help to analyze further >> >> Thanks, >> Sailaja. >> >> On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL <[email protected]> >> wrote: >> >>> Hi team, >>> Am I the only one experiencing this issue ? >>> Thanks, >>> >>> Loïc >>> >>> >>> Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL <[email protected]> >>> a écrit : >>> >>>> Hi guys, >>>> >>>> Since 2.4, LDAP information retrieval to create groups seems broken. My >>>> sync issues are solved for users, but I'm still unable to pull groups from >>>> LDAP. For instance, here are the information in the LDAP from my user : >>>> sn: CHANEL >>>> postOfficeBox: someValue >>>> givenName: LOIC >>>> displayName: CHANEL LOIC >>>> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org >>>> name: LCH657 >>>> mail: [email protected] >>>> >>>> Now here is my configuration on Ranger side : >>>> <property> >>>> >>>> <name>ranger.usersync.ldap.user.groupnameattribute</name> >>>> <value>postOfficeBox,memberOf</value> >>>> </property> >>>> >>>> And I can even see that the retrieval is going that way : >>>> 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder >>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with >>>> -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn: >>>> CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org, >>>> ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, >>>> searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase: >>>> [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2, >>>> userObjectClass: organizationalPerson, userSearchFilter: >>>> (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org), >>>> extendedUserSearchFilter: null, userNameAttribute: name, >>>> userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf, >>>> modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet: >>>> [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame], >>>> pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: >>>> true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2, >>>> groupObjectClass: groupofnames, groupSearchFilter: , >>>> extendedGroupSearchFilter: (&null(|(member={0})(member={1}))), >>>> extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, >>>> groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname, >>>> member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true, >>>> userSearchEnabled: true, ldapReferral: ignore >>>> >>>> But in Ranger, my user is created without any group. What am I missing ? >>>> Thanks, >>>> >>>> >>>> Loïc CHANEL >>>> Technical leader Big Data >>>> Capgemini (Lyon, France) >>>> >>>
