ranger.ldap.user.dnpattern currently takes only one pattern which seems to
be a bug. Because the underlying spring security ldap library API supports
array of patterns. For now, can you try filtering based on any other
attributes? For example below config filters the users from group1 & group2
ranger.ldap.group.searchbase=OU=groups,DC=rangerdev,DC=apache,DC=COM,
ranger.ldap.group.searchfilter=cn*, ranger.ldap.group.roleattribute=cn,
ranger.ldap.user.searchfilter=(&(objectclass=user)(memberOf=CN=group1,OU=groups,DC=rangerdev,DC=apache,DC=COM)(memberOf=CN=group2,OU=groups,DC=rangerdev,DC=apache,DC=COM)(samaccountname={0})),
ranger.ldap.user.dnpattern=dc=example,dc=com,
ranger.ldap.base.dn=cn=users,DC=rangerdev,DC=apache,DC=COMFor Ldap authentication, when DN is not provided correctly, then we search the users with the user search filter and retrieve the DN of the user. After that we search the groups based on group search base, group search filter, and the role attribute and try to match the retrieved DN of the user in the list of retrieved group attributes. Hope this helps. For user dn pattern config to take multiple values, please file an apache jira so that it can be fixed for later versions. - Sailaja. On Thu, Apr 18, 2024 at 9:25 AM j km <[email protected]> wrote: > This is really old, but this is what I found. > > "ranger.usersync.ldap.user.searchfilter": > "(|(samaaccountname=)(memberof=CN=)(...)) > > On Thu, Apr 18, 2024 at 10:54 AM Loïc CHANEL <[email protected]> > wrote: > >> That's what I was hoping indeed, but unfortunately : >> >> 2024-04-18 14:39:39,400 [http-nio-6080-exec-7] DEBUG >> [RangerAuthenticationProvider.java:291] LDAP Authentication Failed: >> org.springframework.security.authentication.InternalAuthenticationServiceException: >> Failed to parse DN; nested exception is >> org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, >> column 10. Encountered: "(" (40), after : "" >> >> I tried to escape the character with a backslash but got the exact same >> result. Any other ideas ? >> Best regards, >> >> >> Loïc CHANEL >> Technical leader Big Data >> Capgemini (Lyon, France) >> >> >> Le jeu. 18 avr. 2024 à 16:24, j km <[email protected]> a écrit : >> >>> I think it is just an or >>> & (&(filter1) (filter2)) AND — all conditions must be met >>> | (|(filter1) (filter2)) OR — any number of conditions can be met >>> ! (!(filter1)) NOT — the condition must not be met >>> >>> On Thu, Apr 18, 2024 at 10:06 AM Loïc CHANEL < >>> [email protected]> wrote: >>> >>>> Just a follow-up question though : is there a way to define several >>>> dnpattern >>>> values ? Because the users are located into two different sections of >>>> my LDAP, so I have the following patterns : >>>> CN={0},OU=External,OU=Users,DC=cmb,DC=blabla,DC=org and >>>> CN={0},OU=Internal,OU=Users,DC=cmb,DC=blabla,DC=org and I want LDAP >>>> authentication to work for both. >>>> Best regards, >>>> >>>> >>>> Loïc CHANEL >>>> Technical leader Big Data >>>> Capgemini (Lyon, France) >>>> >>>> >>>> Le jeu. 18 avr. 2024 à 13:39, Loïc CHANEL <[email protected]> >>>> a écrit : >>>> >>>>> Hi Vipin, >>>>> >>>>> Already did this but didn't see the file name as I was expecting them >>>>> to be before the properties but not after. >>>>> By finding the loaded file in the logs I've been able to troubleshoot >>>>> my issue. >>>>> Thanks a lot for your help, >>>>> >>>>> >>>>> Loïc CHANEL >>>>> Technical leader Big Data >>>>> Capgemini (Lyon, France) >>>>> >>>>> >>>>> Le jeu. 18 avr. 2024 à 13:11, Vipin Rathor <[email protected]> a >>>>> écrit : >>>>> >>>>>> Hi Loïc, >>>>>> If you turn on log4j debug for Apache Ranger, then the debug log will >>>>>> tell you where the congratulations are being loaded from. >>>>>> >>>>>> Also, please check if you aren’t making changes in a different copy >>>>>> of the actual config file (most probably you might have checked but >>>>>> wouldn’t hurt to double check). >>>>>> >>>>>> Regards, >>>>>> VR >>>>>> >>>>>> On Apr 18, 2024, at 14:43, Loïc CHANEL <[email protected]> >>>>>> wrote: >>>>>> >>>>>> >>>>>> Hi everyone, >>>>>> >>>>>> I'm trying to configure the LDAP authentication for UI access, so I >>>>>> edited the properties in ranger-admin-site.xml file and restarted, >>>>>> but I saw in the logs the properties I edited are not applied. For >>>>>> instance, the property ranger.ldap.url has the value ldap:// >>>>>> cmb.mydomain.org:389 in the XML file, but when Ranger starts I can >>>>>> see in the logs that the default value ( ldap:// ) is loaded by >>>>>> Ranger instead of what I defined. >>>>>> Is there something I'm missing ? How can I see where the values are >>>>>> loaded from ? >>>>>> Thanks for your help, >>>>>> >>>>>> >>>>>> Loïc CHANEL >>>>>> Technical leader Big Data >>>>>> Capgemini (Lyon, France) >>>>>> >>>>>>
