Configuring Ranger User Sync for LDAP/AD
![[Important]](../common/images/admon/important.png) | Important |
|---|---|
To ensure that LDAP/AD group level authorization is enforced in Hadoop, you should set up Hadoop group mapping for LDAP/AD. |
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
You can use the LDAP Connection Check tool to determine User Sync settings for LDAP/AD. |
Use the following steps to configure Ranger User Sync for LDAP/AD.
On the Customize Services page, select the Ranger User Info tab.
Click Yes under Enable User Sync.
Use the Sync Source drop-down to select LDAP/AD.
Set the following properties on the Common Configs tab.
Table 3.7. LDAP/AD Common Configs
Property Description Default Value Sample Values LDAP/AD URL Add URL depending upon LDAP/AD sync source ldap://{host}:{port} ldap://ldap.example.com:389 or ldaps://ldap.example.com:636 Bind Anonymous If Yes is selected, the Bind User and Bind User Password are not required. NO Bind User The location of the groups file on the Linux server. The full distinguished name (DN), including common name (CN), of an LDAP/AD user account that has privileges to search for users. The LDAP bind DN is used to connect to LDAP and query for users and groups. cn=admin,dc=example,dc=com or admin@example.com Bind User Password The password of the Bind User. 
Set the following properties on the User Configs tab.
Table 3.8. LDAP/AD User Configs
Property Description Default Value Sample Values Group User Map Sync Sync specific groups for users. No Yes Username Attribute The LDAP user name attribute. sAMAccountName for AD, uid or cn for OpenLDAP User Object Class Object class to identify user entries. person top, person, organizationalPerson, user, or posixAccount User Search Base Search base for users. cn=users,dc=example,dc=com User Search Filter Optional additional filter constraining the users selected for syncing. Sample filter to retrieve all the users: cn=*
Sample filter to retrieve all the users who are members of groupA or groupB: (|(memberof=CN=GroupA,OU=groups,DC=example,DC=com)(memberof=CN=GroupB,OU=groups,DC=example,DC=com))
User Search Scope This value is used to limit user search to the depth from search base. sub base, one, or sub User Group Name Attribute Attribute from user entry whose values would be treated as group values to be pushed into the Policy Manager database. You can provide multiple attribute names separated by commas. memberof,ismemberof memberof, ismemberof, or gidNumber
Set the following properties on the Group Configs tab.
Table 3.9. LDAP/AD Group Configs
Property Description Default Value Sample Values Enable Group Sync If Enable Group Sync is set to No, the group names the users belong to are derived from “User Group Name Attribute”. In this case no additional group filters are applied.
If Enable Group Sync is set to Yes, the groups the users belong to are retrieved from LDAP/AD using the following group-related attributes.
No Yes Group Member Attribute The LDAP group member attribute name. member Group Name Attribute The LDAP group name attribute. distinguishedName for AD, cn for OpenLdap Group Object Class LDAP Group object class. group, groupofnames, or posixGroup Group Search Base Search base for groups. ou=groups,DC=example,DC=com Group Search Filter Optional additional filter constraining the groups selected for syncing. Sample filter to retrieve all groups: cn=*
Sample filter to retrieve only the groups whose cn is Engineering or Sales: (|(cn=Engineering)(cn=Sales))
