Ranger 0.7 managed with Ambari
WARNING : That documentation was written for an old version of Ranger. Some of the options changed in the latest versions of Ranger (for e.g. Anonymous bind isn't supported anymore).
As you may want to create policies using the user groups defined in a LDAP, you have to synchronize Ranger to your LDAP. This will be done using UserSync, a component of Ranger designed to synchronize users from Unix or from LDAP.
To configure it to use LDAP, go to Ambari web application and in Ranger tab, go to Advanced usersync-properties
and use the following configuration :
CRED_KEYSTORE_FILENAME : $JAVA_HOME/lib/security/cacerts ## be careful that your LDAP certificate is trusted by Java
MIN_UNIX_USER_ID_TO_SYNC : 0 ## unlike Unix, you may want to synchronize all existing users
SYNC_INTERVAL : 5 ## synchronizing users every 5 minutes seems to be a good value
SYNC_LDAP_BIND_DN : cn=toto,ou=Users,ou=People,dc=Hadoop,dc=mutu,dc=Apache ## if you use an anonymous bind, this value is required, but will be ignored
SYNC_LDAP_BIND_PASSWORD : totopassword ## if you use an anonymous bind, this value is required, but will be ignored. Though, it will not be encrypted
SYNC_LDAP_URL : ldap://My_LDAP_host
SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE : memberOf
SYNC_LDAP_USER_NAME_ATTRIBUTE : cn
SYNC_LDAP_USER_OBJECT_CLASS : person
SYNC_LDAP_USER_SEARCH_BASE : ou=People,dc=Hadoop,dc=mutu,dc=Apache
SYNC_LDAP_USER_SEARCH_FILTER : -
SYNC_LDAP_USER_SEARCH_SCOPE : sub
SYNC_LDAP_USERNAME_CASE_CONVERSION : lower
SYNC_SOURCE : ldap
...
Finally, restart Ranger. After rebooting, Ranger should synchronize with the LDAP. Keep in mind that this operation might take some time. For example, for about 5000 users the first synchronization takes a dozen minutes.
Ranger 2.4 managed manually
As you may want to create policies using the user groups defined in a LDAP, you have to synchronize Ranger to your LDAP. This will be done using UserSync, a component of Ranger designed to synchronize users from Unix or from LDAP.
To configure it to use LDAP, go to your install.properties
file and use the following configuration :
SYNC_SOURCE = ldap
SYNC_INTERVAL = 5 ## defaults to 5 if SYNC_SOURCE is unix and to 360 if SYNC_SOURCE is ldap
SYNC_LDAP_URL = ldap://<your_ldap_url>:389
SYNC_LDAP_BIND_DN = CN=itsme,ou=LACL,ou=utilisateurs,dc=orga,dc=blabla,dc=org ## the user who will retrieve data from the LDAP. If you're using anonymous bind, you must set a value but it will be ignored by the LDAP
SYNC_LDAP_BIND_PASSWORD = ## do not put anything here if you want your bind to be anonymous
SYNC_LDAP_SEARCH_BASE = dc=orga,dc=blabla,dc=org ## root from where the users and group will be retrieved
SYNC_LDAP_USER_SEARCH_BASE = ou=LACL,ou=utilisateurs,dc=orga,dc=blabla,dc=org ## root from where the users will be retrieved
SYNC_LDAP_USER_SEARCH_SCOPE = sub
SYNC_LDAP_USER_OBJECT_CLASS = organizationalPerson ## type of entity that caracterises a person in the LDAP
SYNC_LDAP_USER_SEARCH_FILTER = (memberOf=CN=usr_outil_prd,OU=Outils,OU=Groupes,DC=blabla,DC=org) ## subfilter for the users to be retrieved
SYNC_LDAP_USER_NAME_ATTRIBUTE = name ## attribute that will be pulled as username
SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox ## attribute(s) that will be used to create and sync the groups
Then, before launching the setup via setup.sh file, you must edit the setup.py file to replace lines 241 & 242 with the following :
if userType != 'ranger.usersync.ldap.ldapbindpassword':
print("[E] Blank password is not allowed for property " + userType + ",please enter valid password.")
sys.exit(1)