Advanced Usersync Settings
To access Usersync settings, select the Advanced tab on the Customize Service page. Usersync pulls in users from UNIX, LDAP, or AD and populates Ranger's local user tables with these users.
Important | |
---|---|
To ensure that LDAP/AD group level authorization is enforced in Hadoop, you must first set up Hadoop group mapping for LDAP. |
UNIX Usersync Settings
If you are using UNIX authentication, the default values for the Advanced ranger-ugsync-site properties are the settings for UNIX authentication.
Required LDAP and AD Usersync Settings
If you are using LDAP authentication, you must update the following Advanced ranger-ugsync-site properties.
Table 3.13. LDAP Advanced ranger-ugsync-site Settings
Property Name | LDAP Value |
---|---|
ranger.usersync.ldap.bindkeystore |
Set this to the same value as the
|
ranger.usersync.ldap.bindalias | ranger.usersync.ldap.bindalias |
ranger.usersync.source.impl.class | ldap |
Table 3.14. AD Advanced ranger-ugsync-site Settings
Property Name | LDAP Value |
---|---|
ranger.usersync.source.impl.class | ldap |
Additional LDAP and AD Usersync Settings
If you are using LDAP or Active Directory authentication, you may need to update the following properties, depending upon your specific deployment characteristics.
Table 3.15. Advanced ranger-ugsync-site Settings for LDAP and AD
Property Name | LDAP ranger-ugsync-site Value | AD ranger-ugsync-site Value |
---|---|---|
ranger.usersync.ldap.url | ldap://127.0.0.1:389 | ldap://ad-conrowoller-hostname:389 |
ranger.usersync.ldap.binddn | cn=ldapadmin,ou=users, dc=example,dc=com | cn=adadmin,cn=Users, dc=example,dc=com |
ranger.usersync.ldap.ldapbindpassword | secret | secret |
ranger.usersync.ldap.searchBase | dc=example,dc=com | dc=example,dc=com |
ranger.usersync.source.impl.class | org.apache.ranger. ladpusersync. process.LdapUserGroupBuilder | |
ranger.usersync.ldap.user.searchbase | ou=users, dc=example, dc=com | dc=example,dc=com |
ranger.usersync.ldap.user.searchscope | sub | sub |
ranger.usersync.ldap.user.objectclass | person | person |
ranger.usersync.ldap.user.searchfilter | Set to single empty space if no value. Do not leave it as “empty” | (objectcategory=person) |
ranger.usersync.ldap.user.nameattribute | uid or cn | sAMAccountName |
ranger.usersync.ldap.user.groupnameattribute | memberof,ismemberof | memberof,ismemberof |
ranger.usersync.ldap.username.caseconversion | none | none |
ranger.usersync.ldap.groupname.caseconversion | none | none |
ranger.usersync.group.searchenabled * | false | false |
ranger.usersync.group.usermapsyncenabled * | false | false |
ranger.usersync.group.searchbase * | ou=groups, dc=example, dc=com | dc=example,dc=com |
ranger.usersync.group.searchscope * | sub | sub |
ranger.usersync.group.objectclass * | groupofnames | groupofnames |
ranger.usersync.group.searchfilter * | needed for AD authentication | (member=CN={0}, OU=MyUsers, DC=AD-HDP, DC=COM) |
ranger.usersync.group.nameattribute * | cn | cn |
ranger.usersync.group.memberattributename * | member | member |
ranger.usersync.pagedresultsenabled * | true | true |
ranger.usersync.pagedresultssize * | 500 | 500 |
* Only applies when you want to filter out groups.
After you have finished specifying all of the settings on the Customize Services page, click Next at the bottom of the page to continue with the installation.