Cloudera Docs

Configure SASL Bind in Ranger Usersync

Learn how to configure GSSAPI/Kerberos SASL Bind in Ranger Usersync.

Usersync of Ranger supports Simple Bind to authenticate to a directory service and GSSAPI SASL Bind using Kerberos mechanism to authenticate to a directory service from Usersync. This topic describes how to configure GSSAPI SASL Bind in Ranger Usersync.
  1. In Cloudera Manager, go to Ranger > Configuration.
  2. Configure the following properties of admin and usersync:
    Table 1. LDAP configurations
    Property Values
    Admin Configurations
    ranger.authentication.method ACTIVE_DIRECTORY
    ranger.ldap.ad.domain <ldap-ad-domain>
    ranger.ldap.ad.url ldap://<ldaphost>:389

    For SSL: ldaps://<ldaphost>:636
    ranger.ldap.ad.base.dn DC=qe-infra-ad,DC=example,DC=com
    ranger.ldap.ad.bind.dn rangerusersync@<ldap-ad-domain>
    ranger.ldap.ad.bind.password <Ldap-password>
    ranger.ldap.ad.referral ignore
    ranger.ldap.ad.user.searchfilter (sAMAccountName={0})
    Usersync Configurations
    ranger.usersync.ldap.user.searchbase CN=Users,DC=qe-infra-ad,DC=example,DC=com
    ranger.usersync.source.impl.class org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
    ranger.usersync.ldap.url ldap://<ldaphost>:389

    For SSL, ldaps://<ldaphost>:636
    ranger.usersync.ldap.binddn rangerusersync@<ldap-ad-domain>
    ranger_usersync_ldap_ldapbindpassword <Ldap-password>
    ranger.usersync.ldap.starttls false

    For SSL, true
    ranger.usersync.ldap.user.nameattribute sAMAccountName
    ranger.usersync.ldap.user.objectclass person
    ranger.usersync.ldap.user.searchscope sub
    ranger.usersync.ldap.user.searchfilter cn=*
    ranger.usersync.group.nameattribute cn
    ranger.usersync.group.memberattributename member
    ranger.usersync.group.searchfilter cn=*
    ranger.usersync.group.searchbase OU=groups,DC=qe-infra-ad,DC=example,DC=com
    ranger.usersync.group.objectclass group
    ranger.usersync.ldap.authentication.mechanism GSSAPI
  3. Click Save Changes.
  4. Add truststore details in usersync truststore:
    1. To get the AD cert to pem file: 
      openssl s_client -showcerts -connect <ldap-host>:636 -servername <server_name> </dev/null 2>/dev/null > my_ldaps_cert.pem
    2. To view the content of the pem file: 
      <path_to_keytool>/keytool -printcert -file my_ldaps_cert.pem
    3. To add the pem file to usersync truststore: 
      <path_to_keytool>/keytool -import -alias ALIAS -file my_ldaps_cert.pem -storetype JKS -keystore <path to truststore.jks> -storepass <truststoe_password>
  5. Restart the service.