HI, Loïc
Rangerusersync is NOT a UNIX ID. It is in ranger admin (created by setup.sh)
and we requested a login for active directory LDAP searches and also called
this rangerusersync just to keep the purpose simple.
Currently: I trashed the entire install of ranger and its components, and
dropped the database to start afresh.
Here is my dilemma: BEFORE I modified usersync install.properties I manually
changed the rangerusersync password from the admin UI. Inside
install.properties for usersync I added a password for rangerusersync and saw
[I] Successfully updated password of rangerusersync user
I would hope that, given the password is the same as the manually entered one,
that this is the same rangerusersync ID. Because the timestamp in x_portal_user
for rangerusersync showed an older time from when it was manually set, not set
by install. There is only one place for users in the database, yes?
(x_portal_user).
The positive here anyway is that now, when I check the logs, I see
13 Jun 2024 11:19:47 INFO o.a.r.u.p.PolicyMgrUserGroupBuilder
[UnixUserSyncThread] - valid cookie saved
13 Jun 2024 11:19:47 INFO o.a.r.u.p.PolicyMgrUserGroupBuilder
[UnixUserSyncThread] - PolicyMgrUserGroupBuilder.buildGroupList(): No. of
groups retrieved from ranger admin 1
13 Jun 2024 11:19:47 INFO o.a.r.u.p.PolicyMgrUserGroupBuilder
[UnixUserSyncThread] - PolicyMgrUserGroupBuilder.buildUserList(): No. of users
retrieved from ranger admin = 6
However, I have no LDAP users or groups, only those from ranger UI which, I
assume are the 1 and 6 shown above. If I run ldapsearch command from Linux
command-line, I use ldaps://ldapserver.eset.corp with success but every article
referencing ldaps shows ldaps://ldapserver.eset.corp:636
From the log, does this appear correct? I am only after two groups: SG-Admins
and SG-Operations. Every reference I look at is using Ambari/CDH/CDP/HDP which
makes things simpler but doesn’t help with a manual install.
13 Jun 2024 11:19:47 INFO o.a.r.l.p.LdapUserGroupBuilder [UnixUserSyncThread]
- LdapUserGroupBuilder initialization completed with -- ldapUrl:
ldaps://ldapserver.eset.corp:636, ldapBindDn:
CN=SVC.SK.rangerusersync,OU=Service,OU=SK,OU=ESET,DC=eset,DC=corp,
ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase:
dc=eset,dc=corp, userSearchBase: [dc=eset,dc=corp], userSearchScope: 2,
userObjectClass: person, userSearchFilter: , extendedUserSearchFilter: null,
userNameAttribute: cn, userSearchAttributes: [uSNChanged, cn, memberof,
ismemberof, modifytimestamp, objectid, userurincipaluame],
userGroupNameAttributeSet: [memberof, ismemberof], otherUserAttributes:
[userurincipaluame], pagedResultsEnabled: true, pagedResultsSize: 500,
groupSearchEnabled: true, groupSearchBase: [OU=Organizational
Groups,OU=Groups,OU=Bratislava,OU=SK,OU=ESET,DC=eset,DC=corp],
groupSearchScope: 2, groupObjectClass: groupofnames, groupSearchFilter:
(|(sAMAccountName="SG-Admins")(sAMAccountName="SG-Operations")),
extendedGroupSearchFilter: (&null(|(member={0})(member={1}))),
extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member,
groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname,
member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true,
userSearchEnabled: true, ldapReferral: ignore
From: Loïc CHANEL <[email protected]>
Sent: Tuesday, June 11, 2024 2:41 PM
To: [email protected]
Subject: Re: No usersync
EXTERNAL
Hi Marc,
If rangerusersync Unix user exists, then you may want to modify the unix_user
and unix_group in install.properties to adapt to your case.
Now for Kerberos, this applies only if you are in a kerberised environment.
Otherwise you leave this blank.
Best regards,
Loïc
Le mar. 11 juin 2024 à 14:28, Marc Hoppins
<[email protected]<mailto:[email protected]>> a écrit :
Hi all,
Sorry to appear dumb but am still trying to get this working.
Why does install.properties have:
#User and group for the usersync process
unix_user=ranger
unix_group=ranger
If the rangerusersync ID exists?
#change password of rangerusersync user. Please note that this password should
be as per rangerusersync user in ranger
rangerUsersync_password=
and KERBEROS
#Set to run in kerberos environment
usersync_principal=
usersync_keytab=
hadoop_conf=/etc/hadoop/conf
What does HADOOP Kerberos have to do with LDAP – our LDAP is active directory.
Marc Hoppins
