Enabling Ranger Usersync search to generate internally
You can configure Ranger Usersync to generate a search filter internally when Search includes a list of group names or group names with a wildcard character.
When you want to filter users who are members of “cdp_prod”, “cdp_testing”, or
“dev_ops” groups, you can add a configuration,
ranger.usersync.ldap.groupnames, that accepts each group
name, as a domain name, a short name, or as a group name that contains a wildcard
character. Usersync only reads ranger.usersync.ldap.groupnames
when the sync source is AD/LDAP and
ranger.usersync.ldap.user.searchfilter is empty. This also
requires that ranger.usersync.group.searchbase is not empty and
the configured value for ranger.usersync.group.searchbase must
be part of the group searchbase in AD/LDAP. When
ranger.usersync.ldap.user.searchfilter is not empty,
Usersync ignores the value of ranger.usersync.ldap.groupnames.
Values can be either DN of the groups, short name of the groups, or the group names
with wildcard character. For example:
- Domain names of the groups
- memberof=CN=dev_ops,ou=Hadoop Groups,dc=cloudera,dc=com
- memberof=CN=cdp_prod,ou=Hadoop Groups,dc=cloudera,dc=com
- memberof=CN=cdp_testing,ou=Hadoop Groups,dc=cloudera,dc=com
- Short names of the groups
- CN=dev_ops
- CN=cdp_prod
- CN=cdp_testing
- Group names with wildcard character
- CN=cdp*
- CN=dev_ops
To enable Usersync search to generate an internal search filter for multiple groups names that include wildcard characters:
-
Repeat steps 2 and 3 for each group name.
Figure 1. Example supported group name formats for Usersync LDAP 
