Re: Groups not retrieved
And now it works perfectly. Thanks !
I'm curious about that option : could you provide more details ? Why does
it trigger the usage of SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter to do
exactly what I was trying to achieve ? And what was the previous behaviour ?
Thanks a lot for your help,
Loïc
Le ven. 22 mars 2024 à 15:34, Sailaja Polavarapu
a écrit :
> Oh ok. In this case can you try setting
> ranger.usersync.group.searchenabled to false?
>
> On Fri, Mar 22, 2024 at 1:27 AM Loïc CHANEL
> wrote:
>
>> Hi Sailaja,
>>
>> Actually, the groups are not stored in the LDAP I'm querying (or at least
>> I can't access them), so I'm retrieving the groups using
>> the SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter, which I configured but
>> doesn't seem to work as I expected.
>> As a matter of fact, I'm successfully retrieving users from the LDAP with
>> a postOfficeBox field, but setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE =
>> postOfficeBox does not retrieve the value of the field to create a group.
>>
>> Let me give you an example to clarify. From the LDAP I'm retrieving the
>> following user :
>>
>> sn: DOE
>> postOfficeBox: 9001928
>> givenName: JOHN
>> displayName: DOE JOHN
>> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
>> name: FOO123
>> mail: john@blabla.com
>>
>>
>> The field I'm really interested in for group purposes is postOfficeBox.
>> So by setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox I expect
>> Usersync to create a group named "9001928" and add John Doe to that group,
>> but it doesn't work. Does Usersync only expect groups with LDAP structure
>> (like the memberOf line) ?
>> Thanks,
>>
>>
>> Loïc
>>
>> Le jeu. 21 mars 2024 à 22:51, Sailaja Polavarapu <
>> spolavar...@cloudera.com> a écrit :
>>
>>> Hi Loic,
>>> I see that you have below config properties for group search. In this
>>> case the groups are retrieved from "dc=cmb,dc=blabla,dc=org" search base.
>>> Can you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org"
>>> group is under the configured search base?
>>> groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org],
>>> groupSearchScope: 2, groupObjectClass: groupofnames,
>>> May be if you provide usersync logs, that can help to analyze further
>>>
>>> Thanks,
>>> Sailaja.
>>>
>>> On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL <
>>> loic.cha...@telecomnancy.net> wrote:
>>>
Hi team,
Am I the only one experiencing this issue ?
Thanks,
Loïc
Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL <
loic.cha...@telecomnancy.net> a écrit :
> Hi guys,
>
> Since 2.4, LDAP information retrieval to create groups seems broken.
> My sync issues are solved for users, but I'm still unable to pull groups
> from LDAP. For instance, here are the information in the LDAP from my
> user :
> sn: CHANEL
> postOfficeBox: someValue
> givenName: LOIC
> displayName: CHANEL LOIC
> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
> name: LCH657
> mail: loic.cha...@telecomnancy.net
>
> Now here is my configuration on Ranger side :
>
>
> ranger.usersync.ldap.user.groupnameattribute
> postOfficeBox,memberOf
>
>
> And I can even see that the retrieval is going that way :
> 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder
> [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with
> -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn:
> CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org,
> ldapBindPassword: * , ldapAuthenticationMechanism: simple,
> searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase:
> [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2,
> userObjectClass: organizationalPerson, userSearchFilter:
> (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org),
> extendedUserSearchFilter: null, userNameAttribute: name,
> userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf,
> modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet:
> [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame],
> pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled:
> true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2,
> groupObjectClass: groupofnames, groupSearchFilter: ,
> extendedGroupSearchFilter: ((|(member={0})(member={1}))),
> extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member,
> groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname,
> member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true,
> userSearchEnabled: true, ldapReferral: ignore
>
> But in Ranger, my user is created without any group. What am I missing
> ?
> Thanks,
>
>
> Loïc CHANEL
> Technical leader Big Data
Re: Groups not retrieved
Oh ok. In this case can you try setting ranger.usersync.group.searchenabled
to false?
On Fri, Mar 22, 2024 at 1:27 AM Loïc CHANEL
wrote:
> Hi Sailaja,
>
> Actually, the groups are not stored in the LDAP I'm querying (or at least
> I can't access them), so I'm retrieving the groups using
> the SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter, which I configured but
> doesn't seem to work as I expected.
> As a matter of fact, I'm successfully retrieving users from the LDAP with
> a postOfficeBox field, but setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE =
> postOfficeBox does not retrieve the value of the field to create a group.
>
> Let me give you an example to clarify. From the LDAP I'm retrieving the
> following user :
>
> sn: DOE
> postOfficeBox: 9001928
> givenName: JOHN
> displayName: DOE JOHN
> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
> name: FOO123
> mail: john@blabla.com
>
>
> The field I'm really interested in for group purposes is postOfficeBox. So
> by setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox I expect
> Usersync to create a group named "9001928" and add John Doe to that group,
> but it doesn't work. Does Usersync only expect groups with LDAP structure
> (like the memberOf line) ?
> Thanks,
>
>
> Loïc
>
> Le jeu. 21 mars 2024 à 22:51, Sailaja Polavarapu
> a écrit :
>
>> Hi Loic,
>> I see that you have below config properties for group search. In this
>> case the groups are retrieved from "dc=cmb,dc=blabla,dc=org" search base.
>> Can you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org"
>> group is under the configured search base?
>> groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org],
>> groupSearchScope: 2, groupObjectClass: groupofnames,
>> May be if you provide usersync logs, that can help to analyze further
>>
>> Thanks,
>> Sailaja.
>>
>> On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL
>> wrote:
>>
>>> Hi team,
>>> Am I the only one experiencing this issue ?
>>> Thanks,
>>>
>>> Loïc
>>>
>>>
>>> Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL
>>> a écrit :
>>>
Hi guys,
Since 2.4, LDAP information retrieval to create groups seems broken. My
sync issues are solved for users, but I'm still unable to pull groups from
LDAP. For instance, here are the information in the LDAP from my user :
sn: CHANEL
postOfficeBox: someValue
givenName: LOIC
displayName: CHANEL LOIC
memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
name: LCH657
mail: loic.cha...@telecomnancy.net
Now here is my configuration on Ranger side :
ranger.usersync.ldap.user.groupnameattribute
postOfficeBox,memberOf
And I can even see that the retrieval is going that way :
9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder
[UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with
-- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn:
CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org,
ldapBindPassword: * , ldapAuthenticationMechanism: simple,
searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase:
[ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2,
userObjectClass: organizationalPerson, userSearchFilter:
(memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org),
extendedUserSearchFilter: null, userNameAttribute: name,
userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf,
modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet:
[postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame],
pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled:
true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2,
groupObjectClass: groupofnames, groupSearchFilter: ,
extendedGroupSearchFilter: ((|(member={0})(member={1}))),
extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member,
groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname,
member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true,
userSearchEnabled: true, ldapReferral: ignore
But in Ranger, my user is created without any group. What am I missing ?
Thanks,
Loïc CHANEL
Technical leader Big Data
Capgemini (Lyon, France)
>>>
Re: Groups not retrieved
Hi Sailaja,
Actually, the groups are not stored in the LDAP I'm querying (or at least I
can't access them), so I'm retrieving the groups using
the SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE parameter, which I configured but
doesn't seem to work as I expected.
As a matter of fact, I'm successfully retrieving users from the LDAP with a
postOfficeBox field, but setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE =
postOfficeBox does not retrieve the value of the field to create a group.
Let me give you an example to clarify. From the LDAP I'm retrieving the
following user :
sn: DOE
postOfficeBox: 9001928
givenName: JOHN
displayName: DOE JOHN
memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
name: FOO123
mail: john@blabla.com
The field I'm really interested in for group purposes is postOfficeBox. So
by setting SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox I expect
Usersync to create a group named "9001928" and add John Doe to that group,
but it doesn't work. Does Usersync only expect groups with LDAP structure
(like the memberOf line) ?
Thanks,
Loïc
Le jeu. 21 mars 2024 à 22:51, Sailaja Polavarapu
a écrit :
> Hi Loic,
> I see that you have below config properties for group search. In this
> case the groups are retrieved from "dc=cmb,dc=blabla,dc=org" search base.
> Can you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org"
> group is under the configured search base?
> groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org],
> groupSearchScope: 2, groupObjectClass: groupofnames,
> May be if you provide usersync logs, that can help to analyze further
>
> Thanks,
> Sailaja.
>
> On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL
> wrote:
>
>> Hi team,
>> Am I the only one experiencing this issue ?
>> Thanks,
>>
>> Loïc
>>
>>
>> Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL
>> a écrit :
>>
>>> Hi guys,
>>>
>>> Since 2.4, LDAP information retrieval to create groups seems broken. My
>>> sync issues are solved for users, but I'm still unable to pull groups from
>>> LDAP. For instance, here are the information in the LDAP from my user :
>>> sn: CHANEL
>>> postOfficeBox: someValue
>>> givenName: LOIC
>>> displayName: CHANEL LOIC
>>> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
>>> name: LCH657
>>> mail: loic.cha...@telecomnancy.net
>>>
>>> Now here is my configuration on Ranger side :
>>>
>>> ranger.usersync.ldap.user.groupnameattribute
>>> postOfficeBox,memberOf
>>>
>>>
>>> And I can even see that the retrieval is going that way :
>>> 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder
>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with
>>> -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn:
>>> CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org,
>>> ldapBindPassword: * , ldapAuthenticationMechanism: simple,
>>> searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase:
>>> [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2,
>>> userObjectClass: organizationalPerson, userSearchFilter:
>>> (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org),
>>> extendedUserSearchFilter: null, userNameAttribute: name,
>>> userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf,
>>> modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet:
>>> [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame],
>>> pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled:
>>> true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2,
>>> groupObjectClass: groupofnames, groupSearchFilter: ,
>>> extendedGroupSearchFilter: ((|(member={0})(member={1}))),
>>> extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member,
>>> groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname,
>>> member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true,
>>> userSearchEnabled: true, ldapReferral: ignore
>>>
>>> But in Ranger, my user is created without any group. What am I missing ?
>>> Thanks,
>>>
>>>
>>> Loïc CHANEL
>>> Technical leader Big Data
>>> Capgemini (Lyon, France)
>>>
>>
Re: Groups not retrieved
Hi Loic,
I see that you have below config properties for group search. In this case
the groups are retrieved from "dc=cmb,dc=blabla,dc=org" search base. Can
you check if "CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org" group is
under the configured search base?
groupSearchEnabled: true, groupSearchBase: [dc=cmb,dc=blabla,dc=org],
groupSearchScope: 2, groupObjectClass: groupofnames,
May be if you provide usersync logs, that can help to analyze further
Thanks,
Sailaja.
On Thu, Mar 21, 2024 at 8:00 AM Loïc CHANEL
wrote:
> Hi team,
> Am I the only one experiencing this issue ?
> Thanks,
>
> Loïc
>
>
> Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL
> a écrit :
>
>> Hi guys,
>>
>> Since 2.4, LDAP information retrieval to create groups seems broken. My
>> sync issues are solved for users, but I'm still unable to pull groups from
>> LDAP. For instance, here are the information in the LDAP from my user :
>> sn: CHANEL
>> postOfficeBox: someValue
>> givenName: LOIC
>> displayName: CHANEL LOIC
>> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
>> name: LCH657
>> mail: loic.cha...@telecomnancy.net
>>
>> Now here is my configuration on Ranger side :
>>
>> ranger.usersync.ldap.user.groupnameattribute
>> postOfficeBox,memberOf
>>
>>
>> And I can even see that the retrieval is going that way :
>> 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder
>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with
>> -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn:
>> CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org,
>> ldapBindPassword: * , ldapAuthenticationMechanism: simple,
>> searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase:
>> [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2,
>> userObjectClass: organizationalPerson, userSearchFilter:
>> (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org),
>> extendedUserSearchFilter: null, userNameAttribute: name,
>> userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf,
>> modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet:
>> [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame],
>> pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled:
>> true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2,
>> groupObjectClass: groupofnames, groupSearchFilter: ,
>> extendedGroupSearchFilter: ((|(member={0})(member={1}))),
>> extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member,
>> groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname,
>> member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true,
>> userSearchEnabled: true, ldapReferral: ignore
>>
>> But in Ranger, my user is created without any group. What am I missing ?
>> Thanks,
>>
>>
>> Loïc CHANEL
>> Technical leader Big Data
>> Capgemini (Lyon, France)
>>
>
Re: Groups not retrieved
Hi team,
Am I the only one experiencing this issue ?
Thanks,
Loïc
Le lun. 19 févr. 2024 à 12:38, Loïc CHANEL a
écrit :
> Hi guys,
>
> Since 2.4, LDAP information retrieval to create groups seems broken. My
> sync issues are solved for users, but I'm still unable to pull groups from
> LDAP. For instance, here are the information in the LDAP from my user :
> sn: CHANEL
> postOfficeBox: someValue
> givenName: LOIC
> displayName: CHANEL LOIC
> memberOf: CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org
> name: LCH657
> mail: loic.cha...@telecomnancy.net
>
> Now here is my configuration on Ranger side :
>
> ranger.usersync.ldap.user.groupnameattribute
> postOfficeBox,memberOf
>
>
> And I can even see that the retrieval is going that way :
> 9 Feb 2024 12:16:56 INFO o.a.r.l.p.LdapUserGroupBuilder
> [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with
> -- ldapUrl: ldap://cmb.blabla.org:389, ldapBindDn:
> CN=LCH657,ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org,
> ldapBindPassword: * , ldapAuthenticationMechanism: simple,
> searchBase: dc=cmb,dc=blabla,dc=org, userSearchBase:
> [ou=COCM,ou=utilisateurs,dc=cmb,dc=blabla,dc=org], userSearchScope: 2,
> userObjectClass: organizationalPerson, userSearchFilter:
> (memberOf=CN=usr_tool_prd,OU=Tool,OU=Groupes,DC=blabla,DC=org),
> extendedUserSearchFilter: null, userNameAttribute: name,
> userSearchAttributes: [postOfficeBox, uSNChanged, name, memberOf,
> modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet:
> [postOfficeBox, memberOf], otherUserAttributes: [userurincipaluame],
> pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled:
> true, groupSearchBase: [dc=cmb,dc=blabla,dc=org], groupSearchScope: 2,
> groupObjectClass: groupofnames, groupSearchFilter: ,
> extendedGroupSearchFilter: ((|(member={0})(member={1}))),
> extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member,
> groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname,
> member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true,
> userSearchEnabled: true, ldapReferral: ignore
>
> But in Ranger, my user is created without any group. What am I missing ?
> Thanks,
>
>
> Loïc CHANEL
> Technical leader Big Data
> Capgemini (Lyon, France)
>
RE: Groups
Hi Ramesh, Thank you for your response. Are you talking about the Audit Tab ? De : Ramesh Mani [mailto:rm...@apache.org] Envoyé : mardi 21 novembre 2023 17:48 À : user@ranger.apache.org Objet : Re: Groups Ranger provides a feature called "User Access Report" in ranger UI where you can find the policies in which the user / group / role is present. Hope this helps. Thanks Ramesh On Tue, Nov 21, 2023 at 8:28 AM DE ROCHAMBEAU Philippe [EXT] mailto:philippe.de-rochambeau-prestata...@laposte.fr>> wrote: Hello, Assuming a user U belongs to IDM groups A, B, C. Is there a way in Ranger to determine which directories he can access, based on his groups ? Many thanks. Best regards, Philippe Post-scriptum La Poste Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur. Post-scriptum La Poste Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
Re: Groups
Ranger provides a feature called "User Access Report" in ranger UI where you can find the policies in which the user / group / role is present. Hope this helps. Thanks Ramesh On Tue, Nov 21, 2023 at 8:28 AM DE ROCHAMBEAU Philippe [EXT] < philippe.de-rochambeau-prestata...@laposte.fr> wrote: > Hello, > > Assuming a user U belongs to IDM groups A, B, C. > > Is there a way in Ranger to determine which directories he can access, > based on his groups ? > > Many thanks. > > Best regards, > > Philippe > > > > > Post-scriptum La Poste > > Ce message est confidentiel. Sous reserve de tout accord conclu par > ecrit entre vous et La Poste, son contenu ne represente en aucun cas un > engagement de la part de La Poste. Toute publication, utilisation ou > diffusion, meme partielle, doit etre autorisee prealablement. Si vous > n'etes pas destinataire de ce message, merci d'en avertir immediatement > l'expediteur. >
