Sailaja Polavarapu created RANGER-3630:
------------------------------------------
Summary: Support wildcards, group short names, and list of
memberof attribute DNs for computing user search filter
Key: RANGER-3630
URL: https://issues.apache.org/jira/browse/RANGER-3630
Project: Ranger
Issue Type: New Feature
Components: Ranger, usersync
Reporter: Sailaja Polavarapu
Ranger Usersync provides multiple configuration properties to sync users &
groups from AD/LDAP. One of the key configuration properties is the User Search
filter (ranger.usersync.ldap.user.searchfilter). Currently, the value of user
search filter must be a valid ldap search filter and is used by ranger usersync
“as is” to limit the no. of users to be sync’d from AD/LDAP.
Example values include:
# samaccountname=*
** Syncs all users from a given user search base
# (|(memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org))
** Sync users that are members of finance, eng_dev, and eng_testing groups
According to [Microsoft
documentation|https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx],
the wildcard character * is not allowed when the <AD Attribute> is a DN
attribute. Examples of DN attributes are distinguishedName, manager,
directReports, member, and memberOf. If users need to be sync'd from multiple
Active Directory groups with memberOf filters, this value can quickly become a
long string of OR concatenated group DNs. A single misplaced character in this
cryptic string results in all users failing to sync.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
