This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Page tree
Skip to end of metadata
Go to start of metadata

 

WARNING : That documentation was written for an old version of Ranger. Some of the options changed in the latest versions of Ranger (for e.g. Anonymous bind isn't supported anymore).

As you may want to create policies using the user groups defined in a LDAP, you have to synchronize Ranger to your LDAP. This will be done using UserSync, a component of Ranger designed to synchronize users from Unix or from LDAP.

To configure it to use LDAP, go to Ambari web application and in Ranger tab, go to Advanced usersync-properties and use the following configuration :

 

 CRED_KEYSTORE_FILENAME : $JAVA_HOME/lib/security/cacerts                      ## be careful that your LDAP certificate is trusted by Java
 MIN_UNIX_USER_ID_TO_SYNC : 0                                                  ## unlike Unix, you may want to synchronize all existing users
 SYNC_INTERVAL : 5                                                             ## synchronizing users every 5 minutes seems to be a good value
 SYNC_LDAP_BIND_DN : cn=toto,ou=Users,ou=People,dc=Hadoop,dc=mutu,dc=Apache    ## if you use an anonymous bind, this value is required, but will be ignored
 SYNC_LDAP_BIND_PASSWORD : totopassword                                        ## if you use an anonymous bind, this value is required, but will be ignored. Though, it will not be encrypted
 SYNC_LDAP_URL : ldap://My_LDAP_host
 SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE : memberOf
 SYNC_LDAP_USER_NAME_ATTRIBUTE : cn
 SYNC_LDAP_USER_OBJECT_CLASS : person
 SYNC_LDAP_USER_SEARCH_BASE : ou=People,dc=Hadoop,dc=mutu,dc=Apache
 SYNC_LDAP_USER_SEARCH_FILTER : -
 SYNC_LDAP_USER_SEARCH_SCOPE : sub
 SYNC_LDAP_USERNAME_CASE_CONVERSION : lower
 SYNC_SOURCE : ldap
 

Then, if you want to use an anonymous bind, you have to add a line to a Ranger configuration file, authorizing the component to use anonymous authentication while connecting to the LDAP.

 echo "ldapGroupSync.ldapAuthenticationMechanism=none" >> /etc/ranger/usersync/conf/unixauthservice.properties

Finally, restart Ranger. After rebooting, Ranger should synchronize with the LDAP. Keep in mind that this operation might take some time. For example, for about 5000 users the first synchronization takes a dozen minutes.

  • No labels