Configuring Ranger Authentication with UNIX, LDAP, or AD
UNIX Authentication Settings
The following figure shows the UNIX authentication settings, and the table below describes each of these properties.
Table 2.2. UNIX Authentication Settings
Configuration Property | Description | Default Value | Example Value | Required? |
---|---|---|---|---|
Allow remote Login | Flag to enable/disable remote login via UNIX Authentication Mode. | TRUE | TRUE | No. |
ranger.unixauth.service.hostname | The FQDN where the ranger-usersync module is running (along with the UNIX Authentication Service). | localhost |
myunixhost.domain.com | Yes, if UNIX authentication is selected. |
ranger.unixauth.service.port | The port number where the ranger-usersync module is running the UNIX Authentication Service. | 5151 | 5151 | Yes, if UNIX authentication is selected. |
Active Directory Authentication Settings
This section describes how to configure settings for Active Directory authentication.
Note | |
---|---|
In addition to these settings, you may also need to configure the Active Directory properties described in Configure Ranger User Sync. |
AD Settings
The following figure shows the Active Directory (AD) authentication settings, and the table below describes each of these properties.
[D]
Table 2.3. Active Directory Authentication Settings
Configuration Property Name | Description | Default Value | Example Value | Required? |
---|---|---|---|---|
ranger.ldap.ad.domain | Server domain name (or IP address) where ranger-usersync module is running (along with the AD Authentication Service). The default value of "localhost" must be changed to the domain name. | localhost |
example.com | Yes, if Active Directory authentication is selected. |
ranger.ldap.ad.url | The URL and port number where ranger-usersync module is running the AD Authentication Service. The default value is a placeholder and must be changed to point to the AD server. | ldap://ad.xasecure.net:389 | ldap://127.0.0.1:389 | Yes, if Active Directory authentication is selected. |
Custom ranger-admin-site Settings for Active Directory (Optional)
The following Custom ranger-admin-site settings for Active Directory authentication are optional.
To add a Custom ranger-admin-site property:
The following figure shows the Custom ranger-admin-site settings required for Active Directory (AD) authentication, and the table below describes each of these properties.
[D]
Table 2.4. Active Directory Custom ranger-admin-site Settings
Custom Property Name | Sample Values for AD Authentication |
---|---|
ranger.ldap.ad.base.dn |
dc=example,dc=com |
ranger.ldap.ad.bind.dn | cn=adadmin,cn=Users,dc=example,dc=com |
ranger.ldap.ad.bind.password | secret123! |
ranger.ldap.ad.referral | follow | ignore | throw |
There are three possible values for ranger.ldap.ad.referral
:
follow
, throw
, and ignore
. The
recommended setting is follow
.
When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.
When this property is set to
follow
, the AD service provider processes all of the normal entries first, and then follows the continuation references.When this property is set to
throw
, all of the normal entries are returned in the enumeration first, before theReferralException
is thrown. By contrast, a "referral" error response is processed immediately when this property is set tofollow
orthrow
.When this property is set to
ignore
, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of AD, aPartialResultException
is returned when referrals are encountered while search results are processed.
LDAP Authentications Settings
This section describes how to configure LDAP and Advanced ranger-ugsync-site settings for Active Directory authentication.
Note | |
---|---|
In addition to these settings, you must also configure the LDAP properties described in Configure Ranger User Sync. |
LDAP Settings
The following figure shows the LDAP authentication settings, and the table below describes each of these properties.
[D]
Table 2.5. LDAP Authentication Settings
Configuration Property Name | Description | Default Value | Example Value | Required? |
---|---|---|---|---|
ranger.ldap.url | The URL and port number where ranger-usersync module is running the LDAP Authentication Service. | ldap://71.127.43.33:389 | ldap://127.0.0.1:389 | Yes, if LDAP authentication is selected. |
ranger.ldap.user. dnpattern | The domain name pattern. | uid={0},ou=users, dc=xasecure,dc=net | cn=ldapadmin,ou=Users, dc=example,dc=com | Yes, if LDAP authentication is selected. |
ranger.ldap.group. roleattribute | The LDAP group role attribute. | cn | cn | Yes, if LDAP authentication is selected. |
Custom ranger-admin-site Settings for LDAP (Optional)
The following Custom ranger-admin-site settings for LDAP are optional.
To add a Custom ranger-admin-site property:
The following figure shows the Custom ranger-admin-site settings required for LDAP authentication, and the table below describes each of these properties.
[D]
Table 2.6. LDAP Custom ranger-admin-site Settings
Custom Property Name | Sample Values for AD or LDAP Authentication |
---|---|
ranger.ldap.base.dn |
dc=example,dc=com |
ranger.ldap.bind.dn | cn=adadmin,cn=Users,dc=example,dc=com |
ranger.ldap.bind.password | secret123! |
ranger.ldap.referral | follow | ignore | throw |
There are three possible values for ranger.ldap.referral
:
follow
, throw
, and ignore
. The
recommended setting is follow
.
When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.
When this property is set to
follow
, the LDAP service provider processes all of the normal entries first, and then follows the continuation references.When this property is set to
throw
, all of the normal entries are returned in the enumeration first, before theReferralException
is thrown. By contrast, a "referral" error response is processed immediately when this property is set tofollow
orthrow
.When this property is set to
ignore
, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search.
Advanced ranger-admin-site Settings
The following Advanced ranger-admin-site properties apply only to LDAP authentication.
Table 2.7. Active Directory Authentication Settings
Property Name | Sample values for LDAP Authentication |
---|---|
ranger.ldap.group.searchbase | dc=example,dc=com |
ranger.ldap.group.searchfilter | (member=cn={0},ou=Users,dc=example,dc=com) |