Configuring Apache Ranger Authentication with UNIX, LDAP, or AD
Also available as:
PDF

Configure Ranger Authentication for AD

How to configure Ranger to use AD for user authentication.

You can configure Ranger authentication in two ways:
  • During installation: Ranger Customize Services > Advanced tab > Ranger Settings
  • After installation: Ambari > Ranger > Configs > Advanced > Ranger Settings

Add Service Wizard showing the Active Directory (AD) authentication settings.
  1. From the Ranger Settings tab:
    1. Enter the external URL, e.g. http://my-vm.hortonworks.com:6080.
    2. Under Authentication method, select ACTIVE_DIRECTORY.
    3. Under HTTP enabled, make a selection. This option enables you to select HTTP/HTTPS communication for Ranger admin console. If you disable HTTP, only HTTPS is allowed. HTTP is enabled by default.
  2. From the AD Settings tab, enter the following values:
    Property Description Default value Sample values
    ranger.ldap.ad.base. dn The Distinguished Name (DN) of the starting point for directory server searches. dc=example,dc=com dc=example,dc=com
    ranger.ldap.ad.bind.dn The full Distinguished Name (DN), including Common Name (CN) of an LDAP user account that has privileges to search for users. This is a macro variable value that is derived from the Bind User value from Ranger User Info > Common Configs. {{ranger_ug_ldap_bi nd_dn}} {{ranger_ug_ldap_bi nd_dn}}
    ranger.ldap.ad.bind.password Password for the bind.dn. This is a macro variable value that is derived from the Bind User Password value from Ranger User Info > Common Configs.
    Domain Name (Only for AD) The domain name of the AD Authentication service. dc=example,dc=com
    ranger.ldap.ad.referral* See below. ignore follow | ignore | throw
    ranger.ldap.ad.url The AD server URL. This is a macro variable value that is derived from the LDAP/AD URL value from Ranger User Info > Common Configs. {{ranger_ug_ldap_url }} {{ranger_ug_ldap_url }}
    ranger.ldap.ad.user.searchfilter The search filter used for Bind Authentication. This is a macro variable value that is derived from the User Search Filter value from Ranger User Info > User Configs. {{ranger_ug_ldap_us er_searchfilter}} {{ranger_ug_ldap_us er_searchfilter}}
  3. Optional: ​Custom ranger-admin-site Settings for Active Directory:
    1. Select Custom ranger-admin-site, then click Add Property.
    2. The following table shows the Custom ranger-admin-site settings required for Active Directory (AD) authentication:
      Key Value
      ranger.ldap.ad.base.dn dc=example,dc=com
      ranger.ldap.ad.bind.dn cn=adadmin,cn=Users,dc=example,dc=com
      ranger.ldap.ad.bind.password Secret123!
      ranger.ldap.ad.referral* follow | ignore | throw


    *

    There are three possible values for ranger.ldap.ad.referral: follow, throw, and ignore. The recommended setting is follow.

    When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.

    • When this property is set to follow, the AD service provider processes all of the normal entries first, and then follows the continuation references.
    • When this property is set to throw, all of the normal entries are returned in the enumeration first, before theReferralException is thrown. By contrast, a "referral" error response is processed immediately when this property is set to follow or throw.
    • When this property is set to ignore, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of AD, a PartialResultException is returned when referrals are encountered while search results are processed.