Re: Groups not retrieved
And now it works perfectly. Thanks ! I'm curious about that option : could you provide more details ? Why does it trigger the usage of SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter to do exactly what I was trying to achieve ? And what was the previous behaviour ? Thanks a lot for your help, Loïc Le ven. 22 mars 2024 à 15:34, Sailaja Polavarapu a écrit : > Oh ok. In this case can you try setting > ranger.usersync.group.searchenabled to false? > > On Fri, Mar 22, 2024 at 1:27 AM Loïc CHANEL > wrote: > >> Hi Sailaja, >> >> Actually, the groups are not stored in the LDAP I'm querying (or at least >> I can't access them), so I'm retrieving the groups using >> the SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter, which I configured but >> doesn't seem to work as I expected. >> As a matter of fact, I'm successfully retrieving users from the LDAP with >> a postOfficeBox field, but setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = >> postOfficeBox does not retrieve the value of the field to create a group. >> >> Let me give you an example to clarify. From the LDAP I'm retrieving the >> following user : >> >> sn: DOE >> postOfficeBox: 9001928 >> givenName: JOHN >> displayName: DOE JOHN >> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org >> name: FOO123 >> mail: john@blabla.com >> >> >> The field I'm really interested in for group purposes is postOfficeBox. >> So by setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox I expect >> Usersync to create a group named "9001928" and add John Doe to that group, >> but it doesn't work. Does Usersync only expect groups with LDAP structure >> (like the memberOf line) ? >> Thanks, >> >> >> Loïc >> >> Le jeu. 21 mars 2024 à 22:51, Sailaja Polavarapu < >> spolavar...@cloudera.com> a écrit : >> >>> Hi Loic, >>> I see that you have below config properties for group search. In this >>> case the groups are retrieved from "dc=cmb,dc=blabla,dc=org" search base. >>> Can you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org" >>> group is under the configured search base? >>> groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], >>> groupSearchScope: 2, groupObjectClass: groupofnames, >>> May be if you provide usersync logs, that can help to analyze further >>> >>> Thanks, >>> Sailaja. >>> >>> On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL < >>> loic.cha...@telecomnancy.net> wrote: >>> Hi team, Am I the only one experiencing this issue ? Thanks, Loïc Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL < loic.cha...@telecomnancy.net> a écrit : > Hi guys, > > Since 2.4, LDAP information retrieval to create groups seems broken. > My sync issues are solved for users, but I'm still unable to pull groups > from LDAP. For instance, here are the information in the LDAP from my > user : > sn: CHANEL > postOfficeBox: someValue > givenName: LOIC > displayName: CHANEL LOIC > memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org > name: LCH657 > mail: loic.cha...@telecomnancy.net > > Now here is my configuration on Ranger side : > > > ranger.usersync.ldap.user.groupnameattribute > postOfficeBox,memberOf > > > And I can even see that the retrieval is going that way : > 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder > [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with > -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn: > CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org, > ldapBindPassword: * , ldapAuthenticationMechanism: simple, > searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase: > [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2, > userObjectClass: organizationalPerson, userSearchFilter: > (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org), > extendedUserSearchFilter: null, userNameAttribute: name, > userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf, > modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet: > [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame], > pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: > true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2, > groupObjectClass: groupofnames, groupSearchFilter: , > extendedGroupSearchFilter: ((|(member={0})(member={1}))), > extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, > groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname, > member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true, > userSearchEnabled: true, ldapReferral: ignore > > But in Ranger, my user is created without any group. What am I missing > ? > Thanks, > > > Loïc CHANEL > Technical leader Big Data
Re: Groups not retrieved
Oh ok. In this case can you try setting ranger.usersync.group.searchenabled to false? On Fri, Mar 22, 2024 at 1:27 AM Loïc CHANEL wrote: > Hi Sailaja, > > Actually, the groups are not stored in the LDAP I'm querying (or at least > I can't access them), so I'm retrieving the groups using > the SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter, which I configured but > doesn't seem to work as I expected. > As a matter of fact, I'm successfully retrieving users from the LDAP with > a postOfficeBox field, but setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = > postOfficeBox does not retrieve the value of the field to create a group. > > Let me give you an example to clarify. From the LDAP I'm retrieving the > following user : > > sn: DOE > postOfficeBox: 9001928 > givenName: JOHN > displayName: DOE JOHN > memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org > name: FOO123 > mail: john@blabla.com > > > The field I'm really interested in for group purposes is postOfficeBox. So > by setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox I expect > Usersync to create a group named "9001928" and add John Doe to that group, > but it doesn't work. Does Usersync only expect groups with LDAP structure > (like the memberOf line) ? > Thanks, > > > Loïc > > Le jeu. 21 mars 2024 à 22:51, Sailaja Polavarapu > a écrit : > >> Hi Loic, >> I see that you have below config properties for group search. In this >> case the groups are retrieved from "dc=cmb,dc=blabla,dc=org" search base. >> Can you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org" >> group is under the configured search base? >> groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], >> groupSearchScope: 2, groupObjectClass: groupofnames, >> May be if you provide usersync logs, that can help to analyze further >> >> Thanks, >> Sailaja. >> >> On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL >> wrote: >> >>> Hi team, >>> Am I the only one experiencing this issue ? >>> Thanks, >>> >>> Loïc >>> >>> >>> Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL >>> a écrit : >>> Hi guys, Since 2.4, LDAP information retrieval to create groups seems broken. My sync issues are solved for users, but I'm still unable to pull groups from LDAP. For instance, here are the information in the LDAP from my user : sn: CHANEL postOfficeBox: someValue givenName: LOIC displayName: CHANEL LOIC memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org name: LCH657 mail: loic.cha...@telecomnancy.net Now here is my configuration on Ranger side : ranger.usersync.ldap.user.groupnameattribute postOfficeBox,memberOf And I can even see that the retrieval is going that way : 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn: CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org, ldapBindPassword: * , ldapAuthenticationMechanism: simple, searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase: [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2, userObjectClass: organizationalPerson, userSearchFilter: (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org), extendedUserSearchFilter: null, userNameAttribute: name, userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf, modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet: [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2, groupObjectClass: groupofnames, groupSearchFilter: , extendedGroupSearchFilter: ((|(member={0})(member={1}))), extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname, member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true, userSearchEnabled: true, ldapReferral: ignore But in Ranger, my user is created without any group. What am I missing ? Thanks, Loïc CHANEL Technical leader Big Data Capgemini (Lyon, France) >>>
Re: Groups not retrieved
Hi Sailaja, Actually, the groups are not stored in the LDAP I'm querying (or at least I can't access them), so I'm retrieving the groups using the SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter, which I configured but doesn't seem to work as I expected. As a matter of fact, I'm successfully retrieving users from the LDAP with a postOfficeBox field, but setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox does not retrieve the value of the field to create a group. Let me give you an example to clarify. From the LDAP I'm retrieving the following user : sn: DOE postOfficeBox: 9001928 givenName: JOHN displayName: DOE JOHN memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org name: FOO123 mail: john@blabla.com The field I'm really interested in for group purposes is postOfficeBox. So by setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox I expect Usersync to create a group named "9001928" and add John Doe to that group, but it doesn't work. Does Usersync only expect groups with LDAP structure (like the memberOf line) ? Thanks, Loïc Le jeu. 21 mars 2024 à 22:51, Sailaja Polavarapu a écrit : > Hi Loic, > I see that you have below config properties for group search. In this > case the groups are retrieved from "dc=cmb,dc=blabla,dc=org" search base. > Can you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org" > group is under the configured search base? > groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], > groupSearchScope: 2, groupObjectClass: groupofnames, > May be if you provide usersync logs, that can help to analyze further > > Thanks, > Sailaja. > > On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL > wrote: > >> Hi team, >> Am I the only one experiencing this issue ? >> Thanks, >> >> Loïc >> >> >> Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL >> a écrit : >> >>> Hi guys, >>> >>> Since 2.4, LDAP information retrieval to create groups seems broken. My >>> sync issues are solved for users, but I'm still unable to pull groups from >>> LDAP. For instance, here are the information in the LDAP from my user : >>> sn: CHANEL >>> postOfficeBox: someValue >>> givenName: LOIC >>> displayName: CHANEL LOIC >>> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org >>> name: LCH657 >>> mail: loic.cha...@telecomnancy.net >>> >>> Now here is my configuration on Ranger side : >>> >>> ranger.usersync.ldap.user.groupnameattribute >>> postOfficeBox,memberOf >>> >>> >>> And I can even see that the retrieval is going that way : >>> 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder >>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with >>> -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn: >>> CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org, >>> ldapBindPassword: * , ldapAuthenticationMechanism: simple, >>> searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase: >>> [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2, >>> userObjectClass: organizationalPerson, userSearchFilter: >>> (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org), >>> extendedUserSearchFilter: null, userNameAttribute: name, >>> userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf, >>> modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet: >>> [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame], >>> pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: >>> true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2, >>> groupObjectClass: groupofnames, groupSearchFilter: , >>> extendedGroupSearchFilter: ((|(member={0})(member={1}))), >>> extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, >>> groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname, >>> member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true, >>> userSearchEnabled: true, ldapReferral: ignore >>> >>> But in Ranger, my user is created without any group. What am I missing ? >>> Thanks, >>> >>> >>> Loïc CHANEL >>> Technical leader Big Data >>> Capgemini (Lyon, France) >>> >>
Re: Groups not retrieved
Hi Loic, I see that you have below config properties for group search. In this case the groups are retrieved from "dc=cmb,dc=blabla,dc=org" search base. Can you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org" group is under the configured search base? groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2, groupObjectClass: groupofnames, May be if you provide usersync logs, that can help to analyze further Thanks, Sailaja. On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL wrote: > Hi team, > Am I the only one experiencing this issue ? > Thanks, > > Loïc > > > Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL > a écrit : > >> Hi guys, >> >> Since 2.4, LDAP information retrieval to create groups seems broken. My >> sync issues are solved for users, but I'm still unable to pull groups from >> LDAP. For instance, here are the information in the LDAP from my user : >> sn: CHANEL >> postOfficeBox: someValue >> givenName: LOIC >> displayName: CHANEL LOIC >> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org >> name: LCH657 >> mail: loic.cha...@telecomnancy.net >> >> Now here is my configuration on Ranger side : >> >> ranger.usersync.ldap.user.groupnameattribute >> postOfficeBox,memberOf >> >> >> And I can even see that the retrieval is going that way : >> 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder >> [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with >> -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn: >> CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org, >> ldapBindPassword: * , ldapAuthenticationMechanism: simple, >> searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase: >> [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2, >> userObjectClass: organizationalPerson, userSearchFilter: >> (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org), >> extendedUserSearchFilter: null, userNameAttribute: name, >> userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf, >> modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet: >> [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame], >> pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: >> true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2, >> groupObjectClass: groupofnames, groupSearchFilter: , >> extendedGroupSearchFilter: ((|(member={0})(member={1}))), >> extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, >> groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname, >> member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true, >> userSearchEnabled: true, ldapReferral: ignore >> >> But in Ranger, my user is created without any group. What am I missing ? >> Thanks, >> >> >> Loïc CHANEL >> Technical leader Big Data >> Capgemini (Lyon, France) >> >
Re: Groups not retrieved
Hi team, Am I the only one experiencing this issue ? Thanks, Loïc Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL a écrit : > Hi guys, > > Since 2.4, LDAP information retrieval to create groups seems broken. My > sync issues are solved for users, but I'm still unable to pull groups from > LDAP. For instance, here are the information in the LDAP from my user : > sn: CHANEL > postOfficeBox: someValue > givenName: LOIC > displayName: CHANEL LOIC > memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org > name: LCH657 > mail: loic.cha...@telecomnancy.net > > Now here is my configuration on Ranger side : > > ranger.usersync.ldap.user.groupnameattribute > postOfficeBox,memberOf > > > And I can even see that the retrieval is going that way : > 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder > [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with > -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn: > CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org, > ldapBindPassword: * , ldapAuthenticationMechanism: simple, > searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase: > [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2, > userObjectClass: organizationalPerson, userSearchFilter: > (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org), > extendedUserSearchFilter: null, userNameAttribute: name, > userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf, > modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet: > [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame], > pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: > true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2, > groupObjectClass: groupofnames, groupSearchFilter: , > extendedGroupSearchFilter: ((|(member={0})(member={1}))), > extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, > groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname, > member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true, > userSearchEnabled: true, ldapReferral: ignore > > But in Ranger, my user is created without any group. What am I missing ? > Thanks, > > > Loïc CHANEL > Technical leader Big Data > Capgemini (Lyon, France) >
RE: Groups
Hi Ramesh, Thank you for your response. Are you talking about the Audit Tab ? De : Ramesh Mani [mailto:rm...@apache.org] Envoyé : mardi 21 novembre 2023 17:48 À : user@ranger.apache.org Objet : Re: Groups Ranger provides a feature called "User Access Report" in ranger UI where you can find the policies in which the user / group / role is present. Hope this helps. Thanks Ramesh On Tue, Nov 21, 2023 at 8:28 AM DE ROCHAMBEAU Philippe [EXT] mailto:philippe.de-rochambeau-prestata...@laposte.fr>> wrote: Hello, Assuming a user U belongs to IDM groups A, B, C. Is there a way in Ranger to determine which directories he can access, based on his groups ? Many thanks. Best regards, Philippe Post-scriptum La Poste Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur. Post-scriptum La Poste Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
Re: Groups
Ranger provides a feature called "User Access Report" in ranger UI where you can find the policies in which the user / group / role is present. Hope this helps. Thanks Ramesh On Tue, Nov 21, 2023 at 8:28 AM DE ROCHAMBEAU Philippe [EXT] < philippe.de-rochambeau-prestata...@laposte.fr> wrote: > Hello, > > Assuming a user U belongs to IDM groups A, B, C. > > Is there a way in Ranger to determine which directories he can access, > based on his groups ? > > Many thanks. > > Best regards, > > Philippe > > > > > Post-scriptum La Poste > > Ce message est confidentiel. Sous reserve de tout accord conclu par > ecrit entre vous et La Poste, son contenu ne represente en aucun cas un > engagement de la part de La Poste. Toute publication, utilisation ou > diffusion, meme partielle, doit etre autorisee prealablement. Si vous > n'etes pas destinataire de ce message, merci d'en avertir immediatement > l'expediteur. >