Hi Lune, Few answers inline… From: Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Monday, March 21, 2016 at 9:38 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Some information or examples for ranger.ldap.referral ?
I will let Sailaja explain the technical details. But at the high level, it is primarily a feature of AD https://technet.microsoft.com/en-us/library/cc978014.aspx. Generally, the IT person managing the AD will be the right person to answer what setting is needed at your deployment. Thanks Bosco From: Lune Silver <lunescar.ran...@gmail.com<mailto:lunescar.ran...@gmail.com>> Reply-To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Monday, March 21, 2016 at 5:35 AM To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Some information or examples for ranger.ldap.referral ? Hello ! I send you this mail because I have some difficulties to understand this property "ranger.ldap.referral" in the ranger-site.xml. The documentation I found on HW website says the following piece of information : ### There are three possible values for ranger.ldap.referral: follow, throw, and ignore. The recommended setting is follow. When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level. * When this property is set to follow, the LDAP service provider processes all of the normal entries first, and then follows the continuation references. * When this property is set to throw, all of the normal entries are returned in the enumeration first, before the ReferralException is thrown. By contrast, a "referral" error response is processed immediately when this property is set to follow or throw. * When this property is set to ignore, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. ### I'm not really sure to understand, even with this description, what the property does exactly. Q1 - What is a continuation references ? [Sailaja]: Specific to LDAP search result. It means the contacted server doesn’t contain information about the requested entry but contains a reference to another server or domain controller. If the client wishes to progress, it must follow the referral by contacting the other server or domain controller. Q2 - Concerning the throw value, I don't understand the description. Because : - On one hand, it says "When this property is set to throw, all of the normal entries are returned in the enumeration first, before the ReferralException is thrown" - On the other hand, it says "By contrast, a "referral" error response is processed immediately when this property is set to follow or throw." So when I put the value "throw" for this property, when does it raise an error ? [Sailaja]: In general continuation references are mixed with search results in the LDAP search response. When the “Referral” property is set to “follow” or “throw”, then only the error responses are processed immediately. Otherwise, the error response is processed only after processing all the normal entries. Q3 - What is a referral entry ? [Sailaja]: Very similar to continuation reference. It is a special type of LDAP result message (for any LDAP operation like add, modify, delete, or search). Q4 - When is this property used by ranger ? [Sailaja]: Ranger UserSync sets the “Referral” property (default to “follow”) and sends it as part of the LDAP search request for syncing users & groups from LDAP or AD server. Best regards. Lune.
