Hi Lian Jiang, I see that the “groupMemberAttributeName” or (ranger.usersync.group.memberattributename) is configured as “member”. Can you please verify in your ldap if the members of the groups are configured with “member” attribute or “memberUid” attribute?
Thanks, Sailaja. From: Lian Jiang <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Tuesday, July 10, 2018 at 6:29 PM To: "[email protected]" <[email protected]> Subject: LDAP groups are not synced in ranger Hi, My ranger syncs LDAP users but does not sync LDAP groups. Below is the log: 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization comple ted with -- ldapUrl: ldap://something.oraclevcn.com:389<http://something.oraclevcn.com:389>, ldapBindDn: cn=ldapadm,dc=oc idw,dc=prod2, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=ocidw,dc=prod2, u serSearchBase: [ou=people,dc=ocidw,dc=prod2], userSearchScope: 2, userObjectClass: account, userSearchFilter: (cn=*), extendedUserSearchFilter: (&(objectclass=account)(cn=*)), userNameAttribute: uid, userSearchAttributes : [uid], userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnable d: true, groupSearchBase: [dc=ocidw,dc=prod2], groupSearchScope: 2, groupObjectClass: posixGroup, groupSearch Filter: (objectClass=posixGroup), extendedGroupSearchFilter: (&(objectclass=posixGroup)(objectClass=posixGroup)( |(member={0})(member={1}))), extendedAllGroupsSearchFilter: (&(objectclass=posixGroup)(objectClass=posixGroup)), groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [member, cn], groupUserMapSy ncEnabled: true, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore 11 Jul 2018 01:10:04 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>s ink 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Performing user search first 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: admin, groupList: [] 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: amb_ranger_admin, groupList: [] 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 3, userName: guest, groupList: [] 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 4, userName: guest2, groupList: [] 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getUsers() completed with user count: 4 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - groupSearch is enabled, would search for groups and compute memberships 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getGroups() completed with group count: 0 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - groupSearch is enabled, would search for groups and compute memberships 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getGroups() completed with group count: 0 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - groupSearch is enabled, would search for groups and compute memberships 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getGroups() completed with group count: 0 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - groupSearch is enabled, would search for groups and compute memberships 11 Jul 2018 01:10:04 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getGroups() completed with group count: 0 11 Jul 2018 01:10:04 INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink 11 Jul 2018 01:10:04 INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink Below is ambari blueprint settings: "ranger-ugsync-site": { "properties": { "ranger.usersync.group.memberattributename": "member", "ranger.usersync.group.nameattribute": "cn", "ranger.usersync.group.objectclass": "posixGroup", "ranger.usersync.group.searchbase": "dc=ocidw,dc=%ENV%", "ranger.usersync.group.searchenabled": "true", "ranger.usersync.group.searchfilter": "(objectClass=posixGroup)", "ranger.usersync.group.searchscope": "sub", "ranger.usersync.group.usermapsyncenabled": "true", "ranger.usersync.ldap.bindalias": "ranger.usersync.ldap.bindalias", "ranger.usersync.ldap.binddn": "cn=ldapadm,dc=ocidw,dc=%ENV%", "ranger.usersync.ldap.bindkeystore": "/usr/hdp/current/ranger-usersync/conf/ugsync.jceks", "ranger.usersync.ldap.groupname.caseconversion": "none", "ranger.usersync.ldap.ldapbindpassword": "%SERVICE_PASSWORD%", "ranger.usersync.ldap.referral": "ignore", "ranger.usersync.ldap.searchBase": "dc=ocidw,dc=%ENV%", "ranger.usersync.ldap.url": "ldap://%ENV%-ambariserver.%SUBNET%.%VCN%.oraclevcn.com:389<http://oraclevcn.com:389>", "ranger.usersync.ldap.username.caseconversion": "none", "ranger.usersync.ldap.user.searchscope": "sub", "ranger.usersync.ldap.user.searchbase": "ou=people,dc=ocidw,dc=%ENV%", "ranger.usersync.ldap.user.searchfilter": "(cn=*)", "ranger.usersync.ldap.user.objectclass": "account", "ranger.usersync.ldap.user.nameattribute": "uid", "ranger.usersync.ldap.deltasync": "false", "ranger.usersync.sink.impl.class": "org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder", "ranger.usersync.source.impl.class": "org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder", "ranger.usersync.ssl": "false" } { "ranger-admin-site": { "properties_attributes": {}, "properties": { "ranger.audit.solr.zookeepers":"%ENV%-namenode.%SUBNET%.%VCN%.oraclevcn.com:2181/infra-solr<http://oraclevcn.com:2181/infra-solr>", "ranger.authentication.method": "LDAP", "ranger.credential.provider.path": "/etc/ranger/admin/rangeradmin.jceks", "ranger.externalurl": "http://%ENV%-namenode.%SUBNET%.%VCN%.oraclevcn.com:6080<http://oraclevcn.com:6080>", "ranger.jpa.jdbc.driver": "oracle.jdbc.driver.OracleDriver", "ranger.jpa.jdbc.url": "jdbc:oracle:thin:@//%ORACEL_DB_HOST%", "ranger.jpa.jdbc.user": "ranger_%ENV%", "ranger.jpa.jdbc.credential.alias": "rangeradmin", "ranger.jpa.jdbc.dialect": "org.eclipse.persistence.platform.database.OraclePlatform", "ranger.ldap.base.dn": "dc=ocidw,dc=%ENV%", "ranger.ldap.bind.dn": "cn=ldapadm,dc=ocidw,dc=%ENV%", "ranger.ldap.bind.password": "%SERVICE_PASSWORD%", "ranger.ldap.group.roleattribute": "cn", "ranger.ldap.group.searchbase": "dc=ocidw,dc=%ENV%", "ranger.ldap.group.searchfilter": "(cn=*)", "ranger.ldap.referral": "follow", "ranger.ldap.url": "ldap://%ENV%-ambariserver.%SUBNET%.%VCN%.oraclevcn.com:389<http://oraclevcn.com:389>", "ranger.ldap.user.dnpattern": "cn=ldapadm,dc=ocidw,dc=%ENV%", "ranger.service.host": "%ENV%-namenode.%SUBNET%.%VCN%.oraclevcn.com<http://oraclevcn.com>", "ranger.service.http.enabled": "true" } } }, Any idea? Thanks a lot.
