Just want to add few more points inline... >> - what additional attributes are pulled Currently we pull following attributes as part of ldap search: For Users: username (like uid, samaccountname, etc…) and user group member attribute (memberof, ismemberof, etc…) For Groups: group member attribute (member, memberuid, etc…) and group name attribute (cn, samaccountname, etc…)
All these are configurable properties in usersync. Thanks, Sailaja. On 2/10/17, 9:26 AM, "Nigel Jones" <[email protected]> wrote: >On 10/02/2017 17:07, Don Bosco Durai wrote: > > > 1. Ranger should have an option just to sync Group (without >users). We should be already supporting it or there was an intention to >support. If we are not doing it for any reason, I am a strong +1 for >doing it. >I'll experiment with this - only working off the docs so far, trying it >out is next :-) [Sailaja]: Currently we support syncing groups that don’t contain any users. But if the group contains users (as part of member attribute), we still sync those users. Ofcourse, you can tweak the user search configuration in order to not sync users by providing an invalid/non-matching user search filter. This is kind of dirty work around. Same is the case with syncing just users and not groups. I agree that it will be better if we can support syncing just users or just groups for flexibility. > > > 2. Direct LDAP would have been ideal, but we were worried about >the load we might put on LDAP for real-time queries. Just FYI, Ranger >uses LDAP/AD for authentication and easy selection of users/groups >during policy create. For authentication, it is already real-time (even >though I would have preferred to get the roles also in real-time). >A fair concern, though at least it's only at connect time. The >enterprise I spoke to didn't seem to think it was a concern. I'll start >with option #1 though [Sailaja]: Other main reason that we are syncing users/groups from LDAP upfront is to make these available for configuring policies in ranger. > > > If you have a very high number of users/groups, then the short-term >recommendation to is to apply LDAP filters and limit syncing users only >to those using Hadoop. >This will be extending outside hadoop - I'm trying to determine how to >constrain the ldap query to the users using the relevant systems. I can >potentially obtain a list of groups from elsewhere via a new usersync >process, and then go back into ldap to query membership which would look >the same to ranger, just modify that sync. > >Thanks for the info ! > >Nigel. > >
