Security
Also available as:
PDF
loading table of contents...

Configuring Ranger Authentication with UNIX, LDAP, or AD

UNIX Authentication Settings

The following figure shows the UNIX authentication settings, and the table below describes each of these properties.

Table 2.2. UNIX Authentication Settings

Configuration PropertyDescriptionDefault ValueExample ValueRequired?
Allow remote LoginFlag to enable/disable remote login via UNIX Authentication Mode.TRUETRUENo.
ranger.unixauth.service.hostnameThe FQDN where the ranger-usersync module is running (along with the UNIX Authentication Service).localhost

myunixhost.domain.com

Yes, if UNIX authentication is selected.
ranger.unixauth.service.portThe port number where the ranger-usersync module is running the UNIX Authentication Service.51515151Yes, if UNIX authentication is selected.

Active Directory Authentication Settings

This section describes how to configure settings for Active Directory authentication.

[Note]Note

In addition to these settings, you may also need to configure the Active Directory properties described in Configuring Usersync Settings.

AD Settings

The following figure shows the Active Directory (AD) authentication settings, and the table below describes each of these properties.

Table 2.3. Active Directory Authentication Settings

Configuration Property NameDescriptionDefault ValueExample ValueRequired?
ranger.ldap.ad.domainServer domain name (or IP address) where ranger-usersync module is running (along with the AD Authentication Service). The default value of "localhost" must be changed to the domain name. localhost

example.com

Yes, if Active Directory authentication is selected.
ranger.ldap.ad.urlThe URL and port number where ranger-usersync module is running the AD Authentication Service. The default value is a placeholder and must be changed to point to the AD server. ldap://ad.xasecure.net:389ldap://127.0.0.1:389Yes, if Active Directory authentication is selected.

Custom ranger-admin-site Settings for Active Directory (Optional)

The following Custom ranger-admin-site settings for Active Directory authentication are optional.

To add a Custom ranger-admin-site property:

  1. Select Custom ranger-admin-site, then click Add Property.

  2. On the Add Property pop-up, type the property name in the Key box, type the property value in the Value box, then click Add.

The following figure shows the Custom ranger-admin-site settings required for Active Directory (AD) authentication, and the table below describes each of these properties.

Table 2.4. Active Directory Custom ranger-admin-site Settings

Custom Property NameSample Values for AD Authentication
ranger.ldap.ad.base.dn

dc=example,dc=com

ranger.ldap.ad.bind.dncn=adadmin,cn=Users,dc=example,dc=com
ranger.ldap.ad.bind.passwordsecret123!
ranger.ldap.ad.referralfollow | ignore | throw

There are three possible values for ranger.ldap.ad.referral: follow, throw, and ignore. The recommended setting is follow.

When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.

  • When this property is set to follow, the AD service provider processes all of the normal entries first, and then follows the continuation references.

  • When this property is set to throw, all of the normal entries are returned in the enumeration first, before the ReferralException is thrown. By contrast, a "referral" error response is processed immediately when this property is set to follow or throw.

  • When this property is set to ignore, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of AD, a PartialResultException is returned when referrals are encountered while search results are processed.

LDAP Authentications Settings

This section describes how to configure LDAP and Advanced ranger-ugsync-site settings for Active Directory authentication.

[Note]Note

In addition to these settings, you must also configure the LDAP properties described in Configuring Usersync Settings.

LDAP Settings

The following figure shows the LDAP authentication settings, and the table below describes each of these properties.

Table 2.5. LDAP Authentication Settings

Configuration Property NameDescriptionDefault ValueExample ValueRequired?
ranger.ldap.urlThe URL and port number where ranger-usersync module is running the LDAP Authentication Service.ldap://71.127.43.33:389ldap://127.0.0.1:389Yes, if LDAP authentication is selected.
ranger.ldap.user. dnpatternThe domain name pattern.uid={0},ou=users, dc=xasecure,dc=netcn=ldapadmin,ou=Users, dc=example,dc=comYes, if LDAP authentication is selected.
ranger.ldap.group. roleattributeThe LDAP group role attribute.cncnYes, if LDAP authentication is selected.

Custom ranger-admin-site Settings for LDAP (Optional)

The following Custom ranger-admin-site settings for LDAP are optional.

To add a Custom ranger-admin-site property:

  1. Select Custom ranger-admin-site, then click Add Property.

  2. On the Add Property pop-up, type the property name in the Key box, type the property value in the Value box, then click Add.

The following figure shows the Custom ranger-admin-site settings required for LDAP authentication, and the table below describes each of these properties.

Table 2.6. LDAP Custom ranger-admin-site Settings

Custom Property NameSample Values for AD or LDAP Authentication
ranger.ldap.base.dn

dc=example,dc=com

ranger.ldap.bind.dncn=adadmin,cn=Users,dc=example,dc=com
ranger.ldap.bind.passwordsecret123!
ranger.ldap.referralfollow | ignore | throw

There are three possible values for ranger.ldap.referral: follow, throw, and ignore. The recommended setting is follow.

When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.

  • When this property is set to follow, the LDAP service provider processes all of the normal entries first, and then follows the continuation references.

  • When this property is set to throw, all of the normal entries are returned in the enumeration first, before the ReferralException is thrown. By contrast, a "referral" error response is processed immediately when this property is set to follow or throw.

  • When this property is set to ignore, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search.

Advanced ranger-admin-site Settings

The following Advanced ranger-admin-site properties apply only to LDAP authentication.

Table 2.7. Active Directory Authentication Settings

Property NameSample values for LDAP Authentication
ranger.ldap.group.searchbasedc=example,dc=com
ranger.ldap.group.searchfilter(member=cn={0},ou=Users,dc=example,dc=com)