Customize Authentication: AD
How to customize the Ranger AD Authentication service when installing Ranger via Ambari.
- Select the Advanced tab on the Customize Services page.
- Under Ranger Settings, specify the Ranger Access Manager/Service Manager host address in the
External URL box in the format
http://<your_ranger_host>:6080
. - Under Ranger Settings, select ACTIVE_DIRECTORY.
-
Under AD Settings, set the following properties.
Table 1. AD Settings Property Description Default Value Example Value ranger.ldap.ad.base.dn The Distinguished Name (DN) of the starting point for directory server searches. dc=example,dc=com dc=example,dc=com ranger.ldap.ad.bind.dn The full Distinguished Name (DN), including Common Name (CN) of an LDAP user account that has privileges to search for users. This is a macro variable value that is derived from the Bind User value from Ranger User Info > Common Configs. {{ranger_ug_ldap_bind_dn}} {{ranger_ug_ldap_bind_dn}} ranger.ldap.ad.bind.password Password for the bind.dn. This is a macro variable value that is derived from the Bind User Password value from Ranger User Info > Common Configs. Domain Name (Only for AD) The domain name of the AD Authentication service. dc=example,dc=com ranger.ldap.ad.referral See description below. ignore follow | ignore | throw ranger.ldap.ad.url The AD server URL. This is a macro variable value that is derived from the LDAP/AD URL value from Ranger User Info > Common Configs. {{ranger_ug_ldap_url}} {{ranger_ug_ldap_url}} ranger.ldap.ad.user.searchfilter The search filter used for Bind Authentication. This is a macro variable value that is derived from the User Search Filter value from Ranger User Info > User Configs. {{ranger_ug_ldap_user_searchfilter}} {{ranger_ug_ldap_user_searchfilter}} NoteProperties with value
{{xyz}}
are macro variables that are derived from other specified values in order to streamline the configuration process. Macro variables can be edited if required -- if you need to restore the original value, click the Set Recommended symbol at the right of the property box.There are three possible values for
ranger.ldap.ad.referral
:follow
,throw
, andignore
. The recommended setting isfollow
.When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.
-
When this property is set to
follow
, the AD service provider processes all of the normal entries first, and then follows the continuation references. -
When this property is set to
throw
, all of the normal entries are returned in the enumeration first, before theReferralException
is thrown. By contrast, a "referral" error response is processed immediately when this property is set tofollow
orthrow
. -
When this property is set to
ignore
, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of AD, aPartialResultException
is returned when referrals are encountered while search results are processed.
When you have finished configuring all of the Customize Services Settings, click Next at the bottom of the page to continue with the installation.
-
- When you save the authentication method as Active Directory, a Dependent Configurations pop-up
may appear recommending that you set the authentication method as LDAP. This
recommended configuration should not be applied for AD, so you should clear
(un-check) the ranger.authentication.method check box, then click OK.
-
Update the Ranger admin truststore configuration:
-
In Ambari > Ranger > Configs > Advanced > Advanced ranger-admin-site, add the following parameters:
ranger.truststore.file=/etc/ranger/admin/truststore ranger.truststore.password=password
- Restart Ranger.
-
In Ambari > Ranger > Configs > Advanced > Advanced ranger-admin-site, add the following parameters: