Hello all,
I'm currently syncing users from Active Directory to Apache Ranger (Ranger Usersync version 0.5.0 is used). The connection to AD in general works fine, I'm able to synchronize users and groups to Ranger. I'm using one AD for several clusters However, there are some issues with the details. With the current settings I sync all the users I expect, but too many groups are synced. The AD structure is as follows: There is one OU containing all personal users as well as one OU per cluster with further, mostly technical, users. The cluster OU always has a sub OU for cluster specific users, as well as a OU containing a group that links the personal users to this cluster. The current (relevant) properties from ranger-ugsync-site.xml are the following ones: <name>ranger.usersync.group.searchbase</name> <value>ou=HADOOP,dc=R123dc=MY,dc=EXAMPLE</value> <name>ranger.usersync.group.searchfilter</name> <value>(cn=Dev*,ou=DEV,ou=HADOOP,dc=R123dc=MY,dc=EXAMPLE)</value> <name>ranger.usersync.group.searchscope</name> <value>sub</value> <name>ranger.usersync.ldap.user.searchbase</name> <value>ou=HADOOP,dc=R123dc=MY,dc=EXAMPLE</value> <name>ranger.usersync.ldap.user.searchfilter</name> <value>(| (sAMAccountName=xc*)(cn=*Usr.dev.de)(cn=*clustername)(objectcategory=person,ou=DEV,ou=HADOOP,dc=R123,dc=MY,dc=EXAMPLE))</value> <name>ranger.usersync.ldap.user.searchscope</name> <value>sub</value> Again, the users the filter returns are exactly the ones we expect. The problem is that as soon as a personal user is synced also ALL his group memberships are synced - so I don't only get the "DevGroup", but also the "TestGroup" and the "ProdGroup" - the fact that the group filter is set to only return groups starting with Dev* seems to be ignored. I had a look at the parameters ranger.usersync.group.searchenabled and ranger.usersync.group.usermapsyncenabled, as I assumed from the documentation/source code that they might do the trick, but no matter if I set them to true or false, the result is the same. So is anybody able to suggest improvements to my settings or clarify if there is a basic misunderstanding? Is the whole approach even feasible? Any help, comments and further questions are welcome! Thank you, MARKUS Fiducia & GAD IT AG | www.fiduciagad.de AG Frankfurt a. M. HRB 102381 | Sitz der Gesellschaft: Hahnstr. 48, 60528 Frankfurt a. M. | USt-IdNr. DE 143582320 Vorstand: Klaus-Peter Bruns (Vorsitzender), Claus-Dieter Toben (stv. Vorsitzender), Jens-Olaf Bartels, Martin Beyer, Jörg Dreinhöfer, Wolfgang Eckert, Carsten Pfläging, Jörg Staff Vorsitzender des Aufsichtsrats: Jürgen Brinkmann
