Advanced Usersync Settings
To access Usersync settings, select the Advanced tab on the Customize Service page. Usersync pulls in users from UNIX, LDAP, or AD and populates Ranger's local user tables with these users.
Important | |
---|---|
To ensure that LDAP/AD group level authorization is enforced in Hadoop, you must first Setting Up Hadoop Group Mapping for LDAP/AD for LDAP. |
Note | |
---|---|
Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended: Test Run Ranger Usersync. |
UNIX Usersync Settings
If you are using UNIX authentication, the default values for the Advanced ranger-ugsync-site properties are the settings for UNIX authentication.
[D]
Required LDAP and AD Usersync Settings
If you are using LDAP authentication, you must update the following Advanced ranger-ugsync-site properties.
Note | |
---|---|
Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended: Test Run Ranger Usersync. |
Table 3.16. LDAP Advanced ranger-ugsync-site Settings
Property Name | LDAP Value |
---|---|
ranger.usersync.ldap.bindkeystore |
Set this to the same value as the
|
ranger.usersync.ldap.bindalias | ranger.usersync.ldap.bindalias |
ranger.usersync.source.impl.class | ldap |
Table 3.17. AD Advanced ranger-ugsync-site Settings
Property Name | LDAP Value |
---|---|
ranger.usersync.source.impl.class | ldap |
Additional LDAP and AD Usersync Settings
If you are using LDAP or Active Directory authentication, you may need to update the following properties, depending upon your specific deployment characteristics.
Note | |
---|---|
Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended: Test Run Ranger Usersync. |
Table 3.18. Advanced ranger-ugsync-site Settings for LDAP and AD
Property Name | LDAP ranger-ugsync-site Value | AD ranger-ugsync-site Value |
---|---|---|
ranger.usersync.ldap.url | ldap://127.0.0.1:389 | ldap://ad-conrowoller-hostname:389 |
ranger.usersync.ldap.binddn | cn=ldapadmin,ou=users, dc=example,dc=com | cn=adadmin,cn=Users, dc=example,dc=com |
ranger.usersync.ldap.ldapbindpassword | secret | secret |
ranger.usersync.ldap.searchBase | dc=example,dc=com | dc=example,dc=com |
ranger.usersync.source.impl.class | org.apache.ranger. ladpusersync. process.LdapUserGroupBuilder | |
ranger.usersync.ldap.user.searchbase | ou=users, dc=example, dc=com | dc=example,dc=com |
ranger.usersync.ldap.user.searchscope | sub | sub |
ranger.usersync.ldap.user.objectclass | person | person |
ranger.usersync.ldap.user.searchfilter | Set to single empty space if no value. Do not leave it as “empty” | (objectcategory=person) |
ranger.usersync.ldap.user.nameattribute | uid or cn | sAMAccountName |
ranger.usersync.ldap.user.groupnameattribute | memberof,ismemberof | memberof,ismemberof |
ranger.usersync.ldap.username.caseconversion | none | none |
ranger.usersync.ldap.groupname.caseconversion | none | none |
ranger.usersync.group.searchenabled * | false | false |
ranger.usersync.group.usermapsyncenabled * | false | false |
ranger.usersync.group.searchbase * | ou=groups, dc=example, dc=com | dc=example,dc=com |
ranger.usersync.group.searchscope * | sub | sub |
ranger.usersync.group.objectclass * | groupofnames | groupofnames |
ranger.usersync.group.searchfilter * | needed for AD authentication | (member=CN={0}, OU=MyUsers, DC=AD-HDP, DC=COM) |
ranger.usersync.group.nameattribute * | cn | cn |
ranger.usersync.group.memberattributename * | member | member |
ranger.usersync.pagedresultsenabled * | true | true |
ranger.usersync.pagedresultssize * | 500 | 500 |
ranger.usersync.user.searchenabled * | false | false |
ranger.usersync.group.search.first.enabled * | false | false |
* Only applies when you want to filter out groups.
After you have finished specifying all of the settings on the Customize Services page, click Next at the bottom of the page to continue with the installation.