Enabling Ranger Usersync search to generate internally
You can configure Ranger Usersync to generate a search filter internally when Search includes a list of group names or group names with a wildcard character.
When you want to filter users who are members of “cdp_prod”, “cdp_testing”, or “dev_ops” groups, you can add a configuration, ranger.usersync.ldap.groupnames, that accepts each group name, as a domain name, a short name, or as a group name that contains a wildcard character. Usersync only reads ranger.usersync.ldap.groupnames when the sync source is AD/LDAP and ranger.usersync.ldap.user.searchfilter is empty. This also requires that ranger.usersync.group.searchbase is not empty and the configured value for ranger.usersync.group.searchbase must be part of the group searchbase in AD/LDAP. When ranger.usersync.ldap.user.searchfilter is not empty, Usersync ignores the value of ranger.usersync.ldap.groupnames. Values can be either DN of the groups, short name of the groups, or the group names with wildcard character. For example:
- Domain names of the groups
- memberof=CN=dev_ops,ou=Hadoop Groups,dc=cloudera,dc=com
- memberof=CN=cdp_prod,ou=Hadoop Groups,dc=cloudera,dc=com
- memberof=CN=cdp_testing,ou=Hadoop Groups,dc=cloudera,dc=com
- Short names of the groups
- Group names with wildcard character
To enable Usersync search to generate an internal search filter for multiple groups names that include wildcard characters:
- In , type ranger.usersync.ldap.usergroups.
- In Ranger Usersync Default Group, click +1.
- Type <group_name>.
Repeat steps 2 and 3 for each group name.
- Click Save Changes.
- In Actions, choose Restart Usersync.