Customize Authentication: AD

How to customize the Ranger AD Authentication service when installing Ranger via Ambari.

1. Select the Advanced tab on the Customize Services page.
2. Under Ranger Settings, specify the Ranger Access Manager/Service Manager host address in the External URL box in the format http://<your_ranger_host>:6080.
3. Under Ranger Settings, select ACTIVE_DIRECTORY.
4. Under AD Settings, set the following properties.

   Table 1. AD Settings

   Property	Description	Default Value	Example Value
   ranger.ldap.ad.base.dn	The Distinguished Name (DN) of the starting point for directory server searches.	dc=example,dc=com	dc=example,dc=com
   ranger.ldap.ad.bind.dn	The full Distinguished Name (DN), including Common Name (CN) of an LDAP user account that has privileges to search for users. This is a macro variable value that is derived from the Bind User value from Ranger User Info > Common Configs.	{{ranger_ug_ldap_bind_dn}}	{{ranger_ug_ldap_bind_dn}}
   ranger.ldap.ad.bind.password	Password for the bind.dn. This is a macro variable value that is derived from the Bind User Password value from Ranger User Info > Common Configs.
   Domain Name (Only for AD)	The domain name of the AD Authentication service.		dc=example,dc=com
   ranger.ldap.ad.referral	See description below.	ignore	follow | ignore | throw
   ranger.ldap.ad.url	The AD server URL. This is a macro variable value that is derived from the LDAP/AD URL value from Ranger User Info > Common Configs.	{{ranger_ug_ldap_url}}	{{ranger_ug_ldap_url}}
   ranger.ldap.ad.user.searchfilter	The search filter used for Bind Authentication. This is a macro variable value that is derived from the User Search Filter value from Ranger User Info > User Configs.	{{ranger_ug_ldap_user_searchfilter}}	{{ranger_ug_ldap_user_searchfilter}}

   	Note
   	Properties with value {{xyz}} are macro variables that are derived from other specified values in order to streamline the configuration process. Macro variables can be edited if required -- if you need to restore the original value, click the Set Recommended symbol at the right of the property box.

   There are three possible values for ranger.ldap.ad.referral: follow, throw, and ignore. The recommended setting is follow.

   When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.

   • When this property is set to follow, the AD service provider processes all of the normal entries first, and then follows the continuation references.

   • When this property is set to throw, all of the normal entries are returned in the enumeration first, before the ReferralException is thrown. By contrast, a "referral" error response is processed immediately when this property is set to follow or throw.

   • When this property is set to ignore, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of AD, a PartialResultException is returned when referrals are encountered while search results are processed.

   
   
   

   When you have finished configuring all of the Customize Services Settings, click Next at the bottom of the page to continue with the installation.

5. When you save the authentication method as Active Directory, a Dependent Configurations pop-up may appear recommending that you set the authentication method as LDAP. This recommended configuration should not be applied for AD, so you should clear (un-check) the ranger.authentication.method check box, then click OK.

   

6. Update the Ranger admin truststore configuration:
   1. In Ambari > Ranger > Configs > Advanced > Advanced ranger-admin-site, add the following parameters:

      ranger.truststore.file=/etc/ranger/admin/truststore
      
      ranger.truststore.password=password

   2. Restart Ranger.